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ETAPS Foreword 


Welcome to the 27th ETAPS! ETAPS 2024 took place in Luxembourg City, the 
beautiful capital of Luxembourg. 

ETAPS 2024 is the 27th instance of the European Joint Conferences on Theory and 
Practice of Software. ETAPS is an annual federated conference established in 1998, 
and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each con- 
ference has its own Program Committee (PC) and its own Steering Committee (SC). 
The conferences cover various aspects of software systems, ranging from theoretical 
computer science to foundations of programming languages, analysis tools, and formal 
approaches to software engineering. Organising these conferences in a coherent, highly 
synchronized conference programme enables researchers to participate in an exciting 
event, having the possibility to meet many colleagues working in different directions in 
the field, and to easily attend talks of different conferences. On the weekend before the 
main conference, numerous satellite workshops took place that attracted many 
researchers from all over the globe. 

ETAPS 2024 received 352 submissions in total, 117 of which were accepted, 
yielding an overall acceptance rate of 33%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2024 featured the unifying invited speakers Sandrine Blazy (University of 
Rennes, France) and Lars Birkedal (Aarhus University, Denmark), and the invited 
speakers Ruzica Piskac (Yale University, USA) for TACAS and Jérôme Leroux 
(Laboratoire Bordelais de Recherche en Informatique, France) for FoSSaCS. Invited 
tutorials were provided by Tamar Sharon (Radboud University, the Netherlands) on 
computer ethics and David Monniaux (Verimag, France) on abstract interpretation. 

As part of the programme we had the first ETAPS industry day. The goal of this day 
was to bring industrial practitioners into the heart of the research community and to 
catalyze the interaction between industry and academia. The day was organized by 
Nikolai Kosmatov (Thales Research and Technology, France) and Andrzej Wasowski 
(IT University of Copenhagen, Denmark). 

ETAPS 2024 was organized by the SnT - Interdisciplinary Centre for Security, 
Reliability and Trust, University of Luxembourg. The University of Luxembourg was 
founded in 2003. The university is one of the best and most international young 
universities with 6,000 students from 130 countries and 1,500 academics from all over 
the globe. The local organisation team consisted of Peter Y.A. Ryan (general chair), 
Peter B. Roenne (organisation chair), Maxime Cordy and Renzo Gaston Degiovanni 
(workshop chairs), Magali Martin and Isana Nascimento (event manager), Marjan 
Skrobot (publicity chair), and Afonso Arriaga (local proceedings chair). This team also 
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organised the online edition of ETAPS 2021, and now we are happy that they agreed to 
also organise a physical edition of ETAPS. 

ETAPS 2024 is further supported by the following associations and societies: 
ETAPS e.V., EATCS (European Association for Theoretical Computer Science), 
EAPLS (European Association for Programming Languages and Systems), and EASST 
(European Association of Software Science and Technology). 

The ETAPS Steering Committee consists of an Executive Board, and representa- 
tives of the individual ETAPS conferences, as well as representatives of EATCS, 
EAPLS, and EASST. The Executive Board consists of Marieke Huisman (Twente, 
chair), Andrzej Wasowski (Copenhagen), Thomas Noll (Aachen), Jan Kofron (Prague), 
Barbara König (Duisburg), Arnd Hartmanns (Twente), Caterina Urban (Inria), Jan 
Křetínský (Munich), Elizabeth Polgreen (Edinburgh), and Lenore Zuck (Chicago). 

Other members of the steering committee are: Maurice ter Beek (Pisa), Dirk Beyer 
(Munich), Artur Boronat (Leicester), Luis Caires (Lisboa), Ana Cavalcanti (York), 
Ferruccio Damiani (Torino), Bernd Finkbeiner (Saarland), Gordon Fraser (Passau), 
Arie Gurfinkel (Waterloo), Reiner Hahnle (Darmstadt), Reiko Heckel (Leicester), 
Marijn Heule (Pittsburgh), Joost-Pieter Katoen (Aachen and Twente), Delia Kesner 
(Paris), Naoki Kobayashi (Tokyo), Fabrice Kordon (Paris), Laura Kovacs (Vienna), 
Mark Lawford (Hamilton), Tiziana Margaria (Limerick), Claudio Menghi (Hamilton 
and Bergamo), Andrzej Murawski (Oxford), Laure Petrucci (Paris), Peter Y.A. Ryan 
(Luxembourg), Don Sannella (Edinburgh), Viktor Vafeiadis (Kaiserslautern), Stepha- 
nie Weirich (Pennsylvania), Anton Wijs (Eindhoven), and James Worrell (Oxford). 

I would like to take this opportunity to thank all authors, keynote speakers, atten- 
dees, organizers of the satellite workshops, and Springer Nature for their support. 
ETAPS 2024 was also generously supported by a RESCOM grant from the Luxem- 
bourg National Research Foundation (project 18015543). I hope you all enjoyed 
ETAPS 2024. 

Finally, a big thanks to both Peters, Magali and Isana and their local organization 
team for all their enormous efforts to make ETAPS a fantastic event. 


April 2024 Marieke Huisman 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


This volume contains the papers presented at the 27th International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS 2024), which 
was held during April 8—11, 2024 in Luxembourg City, Luxembourg. The conference 
is dedicated to foundational research with a clear significance for software science and 
brings together research on theories and methods to support the analysis, integration, 
synthesis, transformation, and verification of programs and software systems. 

In addition to an invited talk by Jérôme Leroux (Laboratoire Bordelais de Recherche 
en Informatique, France) on “Ackermannian Completion of Separators”, the program 
consisted of 24 talks on contributed papers, selected from 79 submissions. Each sub- 
mission was assessed by three or more Program Committee members, with the help of 
external reviewers. The conference management system EasyChair was used to handle 
the submissions, to conduct the electronic Program Committee discussions, and to 
assist with the assembly of the proceedings. 

We wish to thank all the authors who submitted papers for consideration, the 
members of the Program Committee for their conscientious work, and all additional 
reviewers who assisted the Program Committee in the evaluation process. We would 
also like to thank Andrzej Murawski, the FoSSaCS Steering Committee Chair for 
various pieces of advice, and the members of the ESOP/FASE/FoSSaCS joint Artifact 
Evaluation Committee for the artifact evaluation. Finally, we would like to thank the 
ETAPS organization for providing an excellent environment for FoSSaCS, the other 
conferences and the workshops. 
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From Rewrite Rules to Axioms 
in the AlT-Calculus Modulo Theory 


Valentin Blot!, Gilles Dowek!®) Thomas Traversié!:?(®) , 
and Théo Winterhalter! 


1 Université Paris-Saclay, Inria, ENS Paris-Saclay, CNRS, LMF, Gif-sur-Yvette, 
France 
{valentin.blot,gilles.dowek,thomas.traversie,theo.winterhalter}@inria.fr 
? Université Paris-Saclay, CentraleSupélec, MICS, Gif-sur-Yvette, France 


Abstract. The AJ/-calculus modulo theory is an extension of simply 
typed A-calculus with dependent types and user-defined rewrite rules. 
We show that it is possible to replace the rewrite rules of a theory of the 
AlT-calculus modulo theory by equational axioms, when this theory fea- 
tures the notions of proposition and proof, while maintaining the same 
expressiveness. To do so, we introduce in the target theory a heteroge- 
neous equality, and we build a translation that replaces each use of the 
conversion rule by the insertion of a transport. At the end, the theory 
with rewrite rules is a conservative extension of the theory with axioms. 


Keywords: Rewrite rules - Equality - Logical Framework. 


1 Introduction 


For Poincaré, the reasoning by which we deduce that 2+2 = 4 is not a meaningful 
proof, but a simple verification. He concludes that the goal of exact sciences is to 
“dispense with these direct verifications” [20]. Far from being solely a philosoph- 
ical issue, this principle impacts the foundations of logical systems and in partic- 
ular the choice between axioms and rewrite rules. For instance, in systems with 
axioms x+succ y = succ (x+y) and «+0 = x, we can prove that 2+2 = 4. On the 
other hand, in systems with rewrite rules x+succ y © succ (x+y) and +0 > zx, 
we just need to prove 4 = 4 as we can compute that (2+ 2 = 4) = (4 = 4). 
In that respect, logical systems with computation rules are convenient tools for 
making proofs. That is why rewrite rules have been added to systems such as 
AGDA [5] or Cog [12] and why Dowek [9/10] developed Deduction modulo the- 
ory, an extension of first-order logic that mixes computation and proof. Since 
logical systems with rewrite rules are more user-friendly, one may ask whether 
or not the results are the same as in axiomatic logical systems. 

Rewrite rules are at the core of the A/J-calculus modulo theory, an exten- 
sion of simply typed A-calculus with dependent types and user-definable rewrite 
rules [6]. The combination of 6-reduction and of the rewrite rules of a signature 
X forms the conversion =gx. If we know that t : A with conversion A =g» Ð, 
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then we can derive that t : B. In this system, a theory is a set of rewrite rules, to- 
gether with a set of axioms (that are typed constants). The A/7-calculus modulo 
theory is a powerful logical framework in which many theories can be expressed, 
such as Predicate logic, Simple type theory or the Calculus of constructions [83]. 
It is the theory behind the DEDUKTI language [16] and the LAMBDAPI proof 
assistant. 

In this paper, we choose to study the replacement of rewrite rules by axioms in 
the AH-calculus modulo theory. Since it is a logical framework, the result applies 
to many theories. Moreover, as DEDUKTI is geared towards the interoperability 
between proof systems, if we want to exchange proofs between a system with 
rewrite rules and a system without rewrite rules via DEDUKTI, we need to replace 
rewrite rules by axioms in the AJ/-calculus modulo theory. Working in this logical 
framework rather than in an extension of Martin-Léf type theory [I7] is therefore 
relevant on both theoretical and practical levels, but complicates the task as 
the Al[-calculus modulo theory does not feature identity types or an infinite 
hierarchy of sorts. 

One method to replace rewrite rules by axioms is to mimic the behavior of 
the conversion rule using transports: if we have t : A and A =gy B with p an 
equality between A and B, then we can deduce that transp pt: B, but we do not 
directly have t : B. However trivial this seems, we face several challenges when 
trying to demonstrate it fully: the insertion of transports in terms and types is 
difficult due to the presence of dependent types, and the building of transports 
is involved as we cannot have inside the AJ7-calculus modulo theory an equality 
between types. 

A similar problem is the elimination of equality reflection from extensional 
systems. Equality reflection states that @ = r implies £ = r, just like 0 r im- 
plies £ = r in systems with rewrite rules. In extensional systems, typing is eased 
by a more powerful conversion. Hofmann [14]15] investigated categorically the 
problem. Oury [I9] developed a translation of proofs from an extensional ver- 
sion of the Calculus of Constructions to the Calculus of Inductive Constructions 
with equality axioms. Winterhalter, Sozeau and Tabareau [23]24) built upon this 
result to reduce the number of axioms needed. 

The replacement of rewrite rules by axioms paves the way for the interpre- 
tation of a theory into another inside the AZ/-calculus modulo theory. Indeed, 
when interpreting a theory into another, we represent each constant of the source 
theory by a term in the target theory, but we cannot generally do the same for 
rewrite rules. We can however pre-process the source theory to replace its rewrite 
rules by axioms, and then interpret it. The interpretation of theories allows to 
prove relative consistency and relative normalization theorems [8]. 


Contribution. The main contribution of this paper is the translation of a theory 
with rewrite rules to a theory with equational axioms. To do so, we restrict the 
theories considered to theories with an encoding of the notions of proposition and 
proof inside the A//-calculus modulo theory. So as to compare objects that pos- 
sibly do not have the same type, we define a heterogeneous equality—following 
the one defined by McBride [I8]. The restriction considered allows us to build an 
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equality between particular types—called small types. We define a type system 
with typed conversion for the AM-calculus modulo theory, so that the proofs are 
done by induction on the derivation trees more easily. 


Outline of the paper. In Section |2| we present the A/Z-calculus modulo theory, 
we detail a prelude encoding of the notions of proposition and proof in it, and 
we identify the assumptions made on the considered theories. The heterogeneous 
equality and the equality between small types are presented in Section |3| The 
replacement of rewrite rules by axioms and the translation of terms, judgments 
and theories are presented in Section 


2 Theories in the Al7-Calculus Modulo Theory 


In this section, we give a more detailed overview of the \J7-calculus modulo the- 
ory [6] and its type system. In particular, we present an encoding of the notions 
of proposition and proof in the \/Z-calculus modulo theory [3]. We characterize 
small types—a subclass of types for which we can define an equality. 


2.1 The AlT-Calculus Modulo Theory 


The AZi-calculus, also known as the Edinburgh Logical Framework [I3], is an 
extension of simply typed A-calculus with dependent types. The AJJ-calculus 
modulo theory (AJZ/=) [6] is an extension of the \/7-calculus, in which user- 
definable rewrite rules have been added [7]. Its syntax is given by: 


Sorts s ::= TYPE | KIND 

Terms tuA,Bz=cla|s|Hxe:A.B\|dAc:A.t|tu 
Contexts P:=()|PF,2:C 

Signatures X := (| Lie: D| Llor 


where c is a constant and x is a variable (ranging over disjoint sets), C and r 
are terms, D is a closed term (i.e. a term with no free variables) and £ is a term 
such that £ = c tı ... tp with ca constant. TYPE and KIND are two sorts: terms of 
type TYPE are called types, and terms of type KIND are called kinds. Tx: A. B 
is a dependent product, Ax : A. t is an abstraction and ¢t u is an application. 
IIx : A. B is simply written A — B if x does not appear in B. Signatures 
and contexts are finite sequences, and are written () when empty. Signatures 
contain both typed constants and rewrite rules (written £ © r). AIT/= isa 
logical framework, in which X is fixed by the user depending on the logic they 
are working in. 

The relation gy is generated by 6-reduction and by the rules of X. More 
explicitly, œ> gx is the smallest relation, closed by context, such that if t rewrites 
to u for some rule in X or by -reduction then t gy u. Conversion =g is the 
reflexive, symmetric, and transitive closure of 4 gy. 
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2.2 The Type System of the AlZ-Calculus Modulo Theory 


We introduce in Figs. Arcee rules for AM /=. Fig. [i] presents the usual 
typing rules while Fig. |2| focuses on the conversion rules. We write | I when 
the context I is well formed and T F t: A when t is of type A in the context 
I. () H t: Ais simply written H t : A. The notation (- I) = (F I) means 
that I, and I> are both well formed, have the same length and have the same 
variables with convertible types. We write (I, F ta : A1) = (Ig F tg : A2) when 
tı and tz are convertible with Ty + tı : Ay and Ig F tg : Ag. In particular, 
convertible terms tı = t2 are authorized to have different types—provided that 
both types are convertible—and to be typed in different contexts—provided 
that both contexts are convertible. In CONVRULE, is a vector representing the 
free variables of £. The standard weakening rule and substitution lemma can be 
derived from this type system. 


Fr TRA: s ET 


— [EMPTY — [DECL r — [SORT 
5! l ea A Tr rype KIND 80°") 
pT Parii pps = Pe 
<= aa a e ONS : e AR H 
Pepe Aee prea eE 

TH A: TYPE T,z: AF B:s 
[PROD] 


Itilx:A.B:s 


TH A: TYPE Tic: AF B:s T,x: AF Ft: B 
Pr Axw:A.t: ix: A.B 


[ABs] 


I't:Ua:A.B TFru:A 


Trtu: Blrv ul ai 


Tbtt:A (CFA:s)=(2EB:s) 


[Conv] 
Trt:B 


Fig. 1. Typing rules of the \//-calculus modulo theory 


Lemma 1 (Substitution). 


— If we have T,x: A, A andl bu: A, then FT, Ala ul. 

— If we have T,x: A, AFHt: B andr Fu: A, then T, Ala ul F tle u]: 
B|z ul. 

— If we have (F Iy,a : Ay, Ai) = (F In,a : A2, A2) and Tı F u : Aj, then 
(F Ti, Alz > ul) = (F Db, Ag[x > ul). 
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ee [CONVREFL] Se ed [ConvSyM] 
(Pru: A)=(PFu: A) (CFv: B)=(FFu: A) 
(Cru: A)=(l Fv: B) (Crrv: B)=(lFw:C) [ConVTRANS| 


(Pru: A)=(CFw:C) 


(F Tı) = (F Tə) (DTi F Ai: s) = (I2 F A2: 8) 
(F Iy,a: Ai) = (F I, x : A2) 


[CONVDECL] x ¢ 1, T> 


HIT) = (F T) FA:s 
(ic: A)= (Fc: A) 


[CoNVConsT] c: AE X 


HT) = (F Ia) 
(TiF a: Ai) = (I2 F z: A2) 


[CONVVAR] x : Ai € T, £ : Ao € Ih 


(Di + A, : TYPE) = (I2 | As : TYPE) 
(1,2: A F Bi: s) = (Ia,x2: A2 F Bo: 8) 


[CoNvVPROD] 
(2, + a: Ay. Bi: s) = (I2 F Ia: A2. Bo: 8) 
(Tı F Ay : TYPE) = (T> H Ap : TYPE) 
(,2:Aib By:s)= In, : A2 F B2: 8) 
T :AiF ti: B=: : A2F t2: B 
(Ti, x 1 1 5 2,0 2 2 2) [ConvABs] 


(Di F Aw: Ai. ti: He: A. Bi = Io F Az : Ag. to: Ha: Az. Bo) 


(iF ti: Ta: Ai. Bi) = Io F te: He : A2. Bo) 
(Di F ui: A) = I> F u2: A2) 
(iF ti ui: Bila uj) = Ia F te u2 : Bala ual) 


[ConvAPP] 


I+ A: TYPE T,x: Akt: B T,x: AF B:s rFu:A 
(TF (Ax: A. t) u: Bjr u]) = (T F tev u]: Bla uj) 


[CONVBETA] 


a:Bre:A x:BFr:A Frt:B 
(T F ay t|: Alfaro t]) = (T F ria t]: Ala > t) 


[CONVRULE] L> re X 


Tru:A (CFA:s)=(F-EB:s) 
(Pru: A)=(CFu:B) 


[ConvConv] 


Fig. 2. Convertibility rules of the AJ/-calculus modulo theory 
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— If we have (I,,a : Ay, A, F ti : By) = (1,2 : Ag, Ao F te : Bo) and 
I, Fu: Ay, then (1, Aile > ul F tije > u] : Bile > ul) = (T2, Ao[a => 
u] F tela u] : Bola ul). 


Proof. We proceed by induction on the typing derivation. 


We chose to present a type system with typed conversion (written =)—so as 
to easily do proofs on the derivations—while the usual type system for AM/ 
= features untyped conversion (written =gx). The equivalence between type 
systems with typed conversion and type systems with untyped conversion has 
been a longstanding question: Geuvers and Werner [II] investigated the case 
of Pure Type Systems with {n-convertibility, Adams [I] proved the equivalence 
in the case of functional Pure Type Systems, and Siles [2122] later proved the 
equivalence in the general case of the Pure Type Systems. The case of AJT/=, 
in which we have -convertibility but also user-defined rewrite rules, remains to 
be investigated. 

We write |X] for the set of constants of X, and A(X) for the set of terms t 
whose constants belong to |X|. We say that 7 = X is a theory when for each 
rule £> r € X we have £ and r in A(X), when ~~ is confluent on A(X), and 
when every rule of X preserves typing in X (that is when for all context I’ and 
for all term A € A(X), if rH £: Athen Fr: A). 


Example 1 (Natural numbers and lists). We can define in AH /= a partial theory 
of natural numbers and indexed lists of natural numbers. nat represents the type 
of natural numbers and list represents the dependent type of indexed lists of 
natural numbers. cons adds a new element to a list, concat concatenates two 
lists, and isRev checks if the first given list is the reverse of the second. 


nat : TYPE 0: nat succ : nat — nat +: nat —> nat > nat 


r+0>r x + succ y > succ (x + y) list : nat + TYPE nil : list 0 
cons : [Ta : nat. list x — nat — list (succ x) 


isRev : [Ta : nat. list x > list £ + TYPE 
concat : Hg, y : nat. list x — list y — list (a + y) 


In the context £ : list (succ 0), we have concat (succ 0) 0 £ nil of type list (succ 0+ 
0). If we want to compare £ and this new list with isRev, we cannot directly do 
it because they do not have the same type. However, we can use the conversion 
rule with list (succ 0 + 0) =g list (succ 0). This conversion derives from the 
rewrite rule x +0 —> x instantiated with x := succ 0. 


2.3 A Prelude Encoding for the AJ7-Calculus Modulo Theory 


It is possible to introduce in AM/= the notions of proposition and proof [3]. 
In particular, this encoding—called prelude encoding—gives the possibility to 
quantify on certain propositions through codes, which is not possible inside the 
standard AIT/=. This encoding is defined by following signature. 
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Definition 1. The signature Xpre contains the following constants and rewrite 
rules: 


Set : TYPE o : Set 

El: Set + TYPE Prf : El o + TYPE 

~a: Hz : Set. (El x > Set) > Set =q:lIx: Elo. (Prf «> Elo) > Elo 
n: IIa: Elo. (Prf « > Set) > Set V: Ia: Set. (El x > El o) > Elo 

El (x ~va y) > Hz: El x. El (y z) Prf (x Say) > Hz: Prf x. Prf (y z) 
El (n x y) > Hz: Prf x. El (y z) Prf (Y x y) => Hz: El x. Prf (y z) 


We declare the constant Set, which represents the universe of types, along with 
the injection El that maps terms of type Set into TYPE. o is a term of type 
Set such that El o defines the universe of propositions. The injection Prf maps 
propositions into TYPE. ~q (respectively = ) is written infix and is used to 
represent dependent function types between terms of type Set (respectively El o). 
The symbol m (respectively V) is used to represent dependent function types 
between elements of type El o and Set (respectively Set and El o). 

The main advantage of this encoding is that it allows us to quantify on 
propositions. Indeed, in AJ7/=, we cannot quantify on TYPE. Instead, we can 
quantify on objects of type El o, and then inject them into TYPE using Prf. 


2.4 Small Types and Small Derivations 


As we work in AJJ/= rather than in an extension of Martin-Léf type theory, 
we do not have a pre-defined equality. Moreover, we cannot define an equality 
between types since such object would have type TYPE — TYPE — TYPE, which 
is not allowed in AIT/=. 

If we want to compare types Prf a and Prf b, we cannot do it directly, but 
we can compare a and b (that are of type El o). We can proceed similarly to 
compare types El a and El b (with a and b of type Set). In that respect, we 
want types to be into a special form—called small type—that takes advantages 
of the prelude encoding, so as to compare them if necessary. To put types of the 
prelude encoding into this special form, we use the reverse of the rewrite rules of 
pre to represent dependent types with the symbols ~a, +g, 7 and Y whenever 
it is possible. This is achieved by the partial function v, defined by: 


v( Set) = Set v(Prf a) = Prf a v(El a) = Ela 


v(x: A. B) = Prf (aa (Aa: Prf a. b)) if v(A) = Prf a and v(B) = Prf b 
El (a ~a (Av: El a. b)) if v(A) = Ela and v(B) = El b 
Prf (V a (Ax: El a. 6)) if v(A) = El a and v(B) = Prf b 
El (n a (Ax: Prf a. b)) if v(A) = Prf a and v(B) = El b 
ITx : v(A). v(B) otherwise 


Therefore, when v(A) is defined, we have A =gy,,,. v(A). Note that v is partial 
because we do not handle the case where a type is a $-reducible expression, as 
in practice we will not have types under \-abstraction form. 
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To continue to characterize a particular form of types, we define the three 
following grammars: 


S:= Set | S > S P := Prf a| P > S | Hz: S.P 
E = Elb |E > S| Hz: S.E 


with a: El o and b : Set. The notation A € S means that A is generated by the 
grammar S. The grammar S generates types that only contain Set. Therefore, 
if v(A) € S then v(A) = A. The grammars P and E generate types that contain 
a central symbol Prf or El. 


Definition 2 (Small type, Small context). A type A is small when v(A) is 
defined and v(A) € SUP UE. In that case, v(A) is called the small form of A. 
A context I is small when for every x: A € I we have that A is a small type. 


Example 2. Prf a + Prf b, with a,b: El o, is a small type since its small form 
Prf (a=a(Az. b)) is generated by the grammar P. The type Hax : Prf b. El c, with 
c: Set depending on zx, is a small type since its small form El (m b (Ax : Prf b. c)) 
is generated by the grammar E. The type Prf a > Set — Prf b is not small, 
since v(Prf a— Set > Prf b) = Prf a —> Set > Prb SUPUE. 


We would ideally like all the types to be small, so that we can compare them if 
necessary. Therefore, if IT F t: A, we want A to be a small type, or t to be a 
small type and A = TYPE. However, small types are built using the constants of 
Xpre. In particular, the type of the constants 0, ~q, =q and V are small, but 
the types of m, Prf and El are not. Note that the type of an application of 7, 
Prf or El is small. We thus come up with the following notion. 


Definition 3 (Small judgment). | I is a small judgment when I is a small 
context. lH t: A is a small judgment when I’ is a small context and when 


—t: AE Xpres 

— ort is the type of a constant of X'pre, 
— or A is a small type, 

— ort is a small type. 


(Ti F ty : Ai) = (I2 F t2 : A2) is a small judgment when T; F tı : Ay and 
Ig F tg: Ag are small. 


Definition 4 (Small derivation). A small derivation is a derivation in which 
all the judgments are small. 
2.5 Theories with Prelude Encoding 


We define the theories we will consider in the rest of the paper: theories that 
features the prelude encoding inside AIT/=. 


Definition 5 (Theory with prelude encoding). We say that a theory T = X 
in the AH /= is a theory with prelude encoding when: 
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— there exists Xr such that X = Lyre U Xr and Lore Er =O, 
— for every c: A E€ Xr, A is small and admits a small derivation + A : TYPE, 
— for every L => r € Xr, we have small derivations x : Bt £: A and 
z:Btr:A with A a small type, where x represents the free variables of £. 


A theory with prelude encoding is a theory with the constants and rewrite rules 
pre, and additional user-defined constants and rewrite rules. To ensure that Xy 
is encoded inside the prelude encoding, we can only define new constants whose 
types are small. We do not allow the use of rewrite rules é —> r when £ has TYPE 
in its type. In particular, we cannot define new rewrite rules on Prf or El and 
change the behavior of these constants. It follows that the three grammars S, P 
and € generate disjoint types. 

In the following examples, we present three theories with prelude encoding 
in AIT/=. The examples of predicate logic and set theory illustrate that the 
restrictions considered are generally respected, even for expressive theories. 


Example 8 (Predicate logic). Predicate logic can be encoded in a theory with 
prelude encoding. We declare constants for tautology and contradiction T, L : 
El o, for negation =: El o + El o, for conjunction and disjunction A, V : El o > 
Elo — Elo, and for existential quantification 3 : Hz : Set. (El z => Elo) > Elo. 
The semantics of tautology is defined by the rewrite rule T > Vo (Ax : Elo. x= 
x), which is equivalent to the more common form Prf T —> Hz : El o. Prf z > 
Prf z. The rewrite rule Prf (AAB) > IP: Elo. (Prf A > Prf B > Prf P) > 
Prf P can be encoded by A ^A B > V o (AP. (A > B > P) > P). The rule 
Prf (~A) — Prf A —> Prf L is forbidden, but ~A ~ A => L is allowed. We 
proceed similarly the other rewrite rules. 


Example 4 (Natural numbers and lists). We can define our small theory of nat- 
ural numbers and lists in the prelude encoding, by replacing TYPE by Set (in the 
universe of types) or El o (in the universe of propositions), and by adding El 
and Prf at the necessary positions. 


nat: Set 0:FElnat succ: Elnat— Elnat +: El nat > El nat > El nat 
list : El nat — Set r+0C2 x + succ y > succ (x + y) 
nil: El (list 0) cons: Tx: El nat. El list x > El nat — El (list (succ x)) 
isRev : Tx: El nat. El (list x) > El (list x) > El o 
concat : Hæ, y: El nat. El (list x) > El (list y) > El (list (x + y)) 


Example 5 (Set theory). The implementation in DEDUKTI of set theory [4] is a 
theory with prelude encoding. In this implementation, sets are represented by a 
more primitive notion of pointed graphs: we have graph and node of type Set. 
The predicate 7 : El graph > El node > El node > El o is such that 7 a x y 
is the proposition asserting that there is an edge in a from y to x. The operator 
root : El graph + El node returns the root of a, which is a node. 
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In practice, the derivations of small judgments are small derivations. As we con- 
sider theories with prelude encoding, the only way of introducing a judgment 
that is not small is through A-abstractions. For instance in Example [4] the judg- 
ment + El (list ((Av : El nat. Ay : Set. x) 0 nat)) : TYPE is small, but in its 
derivation we have F Ax : El nat. Ay: Set. x : El nat —> Set > El nat which 
is not a small judgment. However, | El (list 0) : TYPE admits a small deriva- 
tion. If the derivation is not small, we can in practice apply 6-reduction on the 
fragments of the derivation that are not small to obtain a small derivation. 


3 Equalities 


Since we want to replace rewrite rules £ r by equational axioms £ = r, we 
need to define an equality in the target theory. In this section, we present a het- 
erogeneous equality and a method to compare small types. The heterogeneous 
equality is necessary to compare objects that do not have the same type. Al- 
though we cannot define an equality between types in AM/=, it is possible to 
develop an equality between small types, taking advantage of their structure. 


3.1 Heterogeneous Equality 


In our development, we need to have an equality between two translations of the 
same term. However, the two translations do not necessarily have the same type, 
as we may have introduced transports over the course of the translation. To that 
end, we define a heterogeneous equality inspired by the one of McBride [18]. Our 
heterogeneous equality is defined by the constant schemas heq4 g : A > B > 
El o where A and B are of type TYPE. We write u 4~g v for Prf (heq4 g u v). 
Heterogeneous equality is reflexive, symmetric, and transitive. 


refl,: Hu: A. u ASA u 
sym4 g : Hu: A. Hv: B. u A%B v> v gau 
transa po: Wu: A. Hw : B. Hw : C. u 4%pg v >v gc w —> u aXo w 


When two objects have the same type, heterogeneous equality acts as Leibniz 
equality. In particular, we can replace u by v in the universes of propositions 
and types. The result of a Leibniz substitution on t remains equal to t. 


leib} : Hu, v : A. Hp: u axa v. IP: A —> Elo. Prf (P u) > Prf (P v) 
eqLeib}f : Mu, v : A. Hp: u ava v. IP: A > Elo. It: Prf (P u). 

lib’, UV Dp Pt Prf (P v)” Prf (P u) t 

The same axiom schemas exist for the universe of types, with superscript El 
instead of Prf, El instead of Prf, and Set instead of El o. 


Finally, we add axioms for the congruence of each constructor of AH /=. 
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Application constructor. For the application, we take: 


apP 4, A>,B,,B, : Hti : (Ma : A. By). Ht, : (Ha : Ag. Bo). 
Tuy: Aj. Hus : Ap. ti S t2 > Uy & U2 
> ti U1 Byfasur]® By[xou2] t2 U2 


For the -abstraction and -type constructors, we cannot directly build equality 
axioms. Indeed, if we want to define an equality between functional terms tı of 
type Hx : Aı. Bı and tz of type He : A2. Bz, we need to ensure that types Ay 
and Ag are equal. Therefore, we would like to have 


fun A; ,A2,B1,B2 : Hti : (Ix : Aj. Bı). Ito : (Ty : Ao. Bə). Aj y Ag 
— (Tx: Ay. Hy: Ag. £ S y > tı £ & te y) 
>ti ~ t2 


but we cannot take such an axiom, since the heterogeneous equality is not defined 
to compare objects that have type TYPE, and A, ~ Ag is therefore ill typed. This 
shortcoming is addressed by developing an equality between small types. 


3.2 Equality between Small Types 


We cannot build an equality between types, since such an equality would have 
type TYPE — TYPE — TYPE, which is impossible in AJZ/=. An option would be to 
take axiom schemas A ~ B for every equality between types A and B. Such an 
equality would be too far from standard and would require additional axioms to 
build transports. An alternative is to define an equality between small types. By 
construction, if (A) € P, then (A) is generated from Prf a for some a: El o, 
and if v(A) € E, then v(A) is generated from El a for some a: Set. If the small 
form of A contains Prf a and the small form of B contains Prf b, then we want 
an equality between a and b. We define the partial function «x on small forms by 


K(Prf a1, Prf a2) =a, & a2 K(El ay, El a2) = a1 © ag 
k(S, S) = True if SES kT > S,T2 > S) = «(T,,To) if SES 
K(UTz: S. Ti, lz: S. To) = Wz: S. (TD, To) if SES 


where True := HP : El o. Prf P —> Prf P, so we can always give a witness 
of k(S, S) if S € S. By convention, we simply write «(A, B) for the result of 
K(v(A),v(B)). 


Example 6. k(x : Set. Prf P —> Prf Q, Hx: Set. Prf R) = Ia: Set. (P >a 
Az: P. Q) ~ R since v(x: Set. Prf P > Prf Q) = Ia: Set. Prf (P >a (àz : 
P.Q). 


We can now go back to the definition of equality axioms for the constructors of 
MI/=. 
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Function constructor. If A; and Az are small types, we can take K(A,, A2). We 
do not compare objects of type TYPE anymore, but objects that have either type 
El o or type Set. The axiom schema for the function constructor is thus: 


fun A: ,A2,B1,B2 š Hti H (Tx Aj. By). Ito : (Ty H A». Bə). k(Ay, Ao) 
> (Ta: Ay. Hy : A2. £ X yY > tı £ & te y) 
>t & te 


This axiom schema is a generalization of the functional extensionality principle 
with distinct domains A; and Ag in the case of heterogeneous equality. Func- 
tional extensionality states that two pointwise-equal functions are equal. If the 
domains A; and A» are generated by S, then they are syntactically equal and 
we can derive a simpler axiom schema: 


fun4,s,,B, : Hti : da: A. By). Itz: (He : A. Bo). (Ix : A. ti £ X te x) 
>t, & te 


Il -type constructor. The congruence axiom for dependent types aims at build- 
ing k(x : Ay. Bı, Hx : Ag B2). There are different cases depending on the 
grammars generating v(A,), v(A2), v(Bi) and v(B2). If v(A1), v(A2), v(B1), 
v(B2) € S, then IIx: Ay. Bı and He : A2. B2 are syntactically equal and we 
can build an object of type True. If v(A1), v(A2) E€ S and v(B1), v(B2) E PUE, 
then Ay = Ag and «(Ha : Ay. Bı, He : Ag Bo) = Hx : Ay. k(Bı, B2). If 
v(A,), v(Ag) E PUE and v(B,), v(B2) € S, then Bı = Bə and K(ITax : 
Aj. Bı, Ha : Ao Bə) = k(A1, Ag). If v(Aı), v( A2), v(Bı), v(B2) E PUE, 
then there are four cases, corresponding to ~q, =a, 7 and V. For instance, if 
v(A,), v(A2), v(Bi) and v(B2) are all generated by £E, then necessarily we have 
v(Aı) = El ay, v(Ag) = El a2, v(Bı) = El bı and v(B2) = El be. Therefore 
K(x: Ay. By, Ta: Ao. Bz) = (ay~q(Aw : El ay. b1)) © (ao~a(Ay : El ag. b2)). 
The axiom is: 


prod., : Ha, az: Set. Hb, : (El a, — Set). Iba : (El az —> Set). ay ~ ag 
> (a: El a. Ty: El ag. £ ~ y > by £ & be y) 
—> (a1 ~q b1) © (a2 ~a b2) 


Note that this axiom is derivable from the previous axioms. We proceed similarly 
for the cases >q, T and V. 

We write Xeq for the signature formed by the axiom schemas defining the 
heterogeneous equality. Reflexivity, symmetry, and transitivity are standard ax- 
ioms of equality. We have also added axioms stating that a heterogeneous equal- 
ity comparing two objects of the same type acts like Leibniz equality. Finally, 
we have an axiom for the application constructor and one axiom for the ab- 
straction constructor—that is functional extensionality. Both axioms are used 
by Oury [19], who also assumes the uniqueness of identity proofs principle that 
entails the Leibniz principle we use. 
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4 Replacing Rewrite Rules 


When working in theories with prelude encoding, rewriting originates from the 
rewrite rules of Xpre (which are generic rewrite rules), from the rewrite rules Xy 
(which are defined by the user) and from (-reduction. The goal of this work is to 
replace the user-defined rewrite rules Xy by equational axioms. In the rest of the 
paper, we write Fr for a derivation inside the source theory—the theory with 
user-defined rewrite rules—and F for a derivation inside the target theory—the 
theory with axioms instead of user-defined rewrite rules. 

We now have all the tools to replace rewrite rules by equational axioms. To 
do so, we build suitable transports, such that if © t: A and I F p: «(A, B), 
then I’ F transp p t : B. The goal is to insert such transports into the terms 
instead of using conversion with the rules of Xy. In the signature, each rewrite 
rule £ => r is replaced by the equational axiom £ & F. 


4.1 Transports 


If we have Ht: Aand T Fp: K(A, B), we want to transport t from A to B, 
that is to build a term transp p t such that I’ + transp pt: B. A paramount 
result is that t and transp p t are heterogeneously equal. 


Lemma 2 (Transport). Given TFt: A andI F p: «(A,B) with A and B 
small types, there exists transp p t, called transport of t along p, such that: 


— IF transp pt: B, 
— there exists eqTransp such that [+ eqTransp pt: transp pt pry t. 


Proof. A and B are small types and we have an equality «(A, B). If A,B € S 
then v(A) = v(B) = A = B and we take transp p t = t and eqTransp p t := 
refl, t. Otherwise, by construction of k, we know that v(A),v(B) € P, or 
v(A),v(B) € £, and that v(A) and v(B) have the same structure. Moreover, 
using A =gy,,. V(A), we have I F t: v(A). We proceed by induction on the 
grammar P (we proceed similarly for the grammar £). 


— If v(A) = Prf a and v(B) = Prf b, then we have [+ p:a% b. We take 
transp p t := leib’t’, a b p (Aw: El o. w) t. We conclude using eqLeib} ,. 

— If v(A) = A’ > S and v(B) = B’ > S, with A’, B' € P and S € S, then we 
have «(A’, B’) = «(A, B). From I F p: k(A', B’) we can build some p’ such 
that I F p’ : k(B', A’) (using sym). By weakening, we also have p’ : «(B’, A’) 
in the context I,m, : B’. By induction, we have transp p’ m, : A’ and 
eqTransp p’ Ma : transp p’ mp ~ mp in the context I,m, : B’. We take 
transp p t := Am, : B’. t (transp p' mẹ). Using trans and app we obtain an 
equality t (transp p’ my) © t Ma in the context T, Ma : A’, mp : B', Pm : 
Ma © my. Using fun and =gy,,,, we have Am, : B’. t (transp p' mẹ) œ~ t in 
the context I’. 


re) 
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— Ifv(A) =z: S. A’ and v( B) = Iz: S. B’ with A’, B' € P and S € S, then 
we have «(A, B) = Iz: S. «(A’, B’). By weakening and application, we have 
z:St pz: «(A’, B’). By induction we have transp (p z) (t z) : B’ and 
eqTransp (p z) (t z) : transp (p z) (t z) © t z in the context I’, z : S. We take 
transp p t := Az: S. transp (p z) (t z). We obtain Az: S. transp (p z) (tz) œt 
using fun and =g» 


pre" 


The transport of t from A to B depends on the small form of A and B. In that 
respect, there exists a different transport for each possible family of small form, 
and such transport is indexed over an equality of a small type. 


4.2 Translation of Terms 


To translate a theory with rewrite rules into a theory with equational axioms, 
we add transports at the proper locations in the terms and types. If we have 
T Fr t: Ain the source theory, we want to find T, t and A that are translations 
of I, t and A, and such that T F ¢: A in the target theory. 

We add transports in a term by induction on a typing derivation—which is 
not unique—so we may have different translations for a same term. As such, we 
define a relation < where t< t states that t is a translation of t. The relation 
is defined by induction on the terms of \JI/=. Variables, constants, TYPE and 
KIND are translations of themselves. The translations of A-abstractions Ax : A. t, 
dependent types Hæ : A. B and applications t u rely on the translations of t, 
u, A and B. The most important part of the definition is that the translation is 
stable by transports: if t is a translation of t, then transp p t is also a translation 
of t, with p typically an equality. This relation captures all possible translations, 
but some are not correct as they may not be well typed. For instance, Ax : A. t 
is not a valid translation of Ax : A. t when the variable x used in t does not 
expect type A but another translation A’. 


Definition 6. The translation relation < is defined by: 


LAIT cdc TYPE < TYPE KIND < KIND 
AdA tat A<A BaB 
(Ax: A. t) < (Ax: A. t) (Hx: A. B) « (Hz: A. B) 
t < udu tat 
(ta) < (tu) (transp p t) < t 


where p is an arbitrary term. 


Due to the typing rules of AI /=, transports for objects that have TYPE in their 
type do not exist. Therefore, the only well-typed translations of TYPE, KIND, Set, 
Prf and El are themselves, and the well-typed translations of Hæ : A. B are 
of the form xz: A. B with A <4 Aand B < B. It follows that a well-typed 
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translation of a small type is still a small type. In particular, if A € S then 
for any A we have A := A; if v(A) € P then v(A) € P; and if v(A) € E then 
v(A) EE. 

We extend the relation to contexts and signatures. For each rewrite rule 
€or ofa signature, we have x : B Fr £: Aanda: B Fr r : A, for some B 
and A, and some g representing the free variables of @. The translation of the 
rewrite rule l > r is given by the equational axiom eq. : Hæ : B. £ aa 
Since the type of a term is not unique in \JI/=, we have made a choice of B 
and A, which is not a problem as we will see in the proof of Theorem 


Definition 7. < is defined on contexts and signatures by: 


Lemma 38. Ift < t andū < u then tx = Ñ] < trv ul. 


Proof. By induction on the derivation of ¢ < t. For the case with the transport, 
we can prove that (transp p t)[x > u] = transp pia > u] tla ul. 


Definition 8 (Relation ~). We say that tı ~ ta when there exists some t such 
that tı < t andt2 < t. 


Lemma 4. ~ is an equivalence relation. 


Proof. ~ is reflexive, symmetric and transitive. When proving transitivity we 
exploit the fact that whenever t < u and t < ue, we have u; = ug. Reflexivity 
is proved by induction on the term. 


An important result we need to prove is that two well-typed translations tı and 
t2 of the same term t are heterogeneously equal. By construction, both terms do 
not necessarily have the same type or the same context. We will always consider 
Ii ty: Ay and Ig F te : Ag, where T; and Tù have the same length and the same 
variables (with possibly different types). The equality between tı and t2 must be 
typed in some context, but I, and I> are not sufficient. That is why we define 
a common context I x I> (written Pack I I in the work of Winterhalter et 
al. [23]) by duplicating each variable and by assuming a witness of heterogeneous 
equality between these two duplicates. More precisely, we partially define x by 
induction on small contexts: 
()*() = () 


(14,0 : Ay) x (I2, x : Ag) = Ty x Ta, 01 : Aif], £2 : Aaf], Pa : £1 BQ 


where 7; substitutes variables z by zı and 72 substitutes variables z by z2. We 
write 712 for the substitution that replaces the variables zı and z2 by z and the 
variable p, by refl z. 
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Lemma 5. If [xT t: A, then we can derive I F t[y12] : Af]. 


Proof. We proceed by induction on the length of I. If we have ()*() Ft: A 
then by definition we have () | t : A. Suppose that we have (T,x : B)x (Iya: 
B) Ft: A. We apply successively Lemma [1] to replace x2 and xı by x and then 
Px by refl x. 


The following lemma states that two translations of a same term are heteroge- 
neously equal. 


Lemma 6 (Equal translations). Let tı ~ tə such that T; F ty : Ay and 
Ig tg: Ao with T; and Io small contexts. 


1. If T, | A, : TYPE and I | Ag : TYPE, then there exists some p such that 
Dix IF p: tija] Aila] ® ely] talyel- 

2. If tı and tz are small types, then there exists some p such that I, x Ia F p: 
k(tihı], t2[72]). 


Proof. We proceed by induction on the derivation of tı ~ t2. We show two 
interesting cases. 


— TRANSPORT (transp p t1) ~ t2 
We have I, H transp p tı : A; and Ip F tg : Ag. By inversion of typ- 
ing, we have I, F tı : Aj and I, F p : «(A‘,A1). By induction there 
exists some p; such that I * I> F pi : tilyi] = te[y2]. We also have I + 
eqTransp p tı : transp p tı ~ tı. We derive that I «I F (eqTransp p t1)[y1] : 
(transp p ti)[1] ~ tılyı]. We conclude using transitivity. 


— APPLICATION (tı u1) ~ (t2 u2) 
Suppose that tı u; and t2 u2 are small types. Then the only possible cases 
are ty = tə = Prf or ti = tə = El. If tı = tə = Prf, then we have I F 
Prf uy: TYPE and Ia F Prf ug: TYPE. Since «(Prf ui, Prf u2) = ui ~ ua, 
the result is simply the induction hypothesis T; x I> F p : wily] ~ uzļly2]. 
We proceed similarly for El u, ~ El ua. 

Suppose that we have T; F tı uy: Tı and [y+ tə ug: To with + T, : TYPE 
and I’ + To : TYPE. Then by inversion of typing we have I, F u, : Bı and 
I> F us : Bə and D F ty : IIx: A. Bı and Ia F to : IIx: Ag. Bə, with 
Tı =sr,-. Bix > uw] and To =gy,,,. Bz[x ++ ug]. By induction hypotheses, 
we have Ti x Ia pz: tify] ~ te[y2] and Ti * Ta F pu : wilya] ~ ue[72]. We 
conclude using app. 


4.3 Translation of Judgments 


In Section we have seen all the possible translations for terms. However, 
the only translations that matter are the translations of judgments: context 
formation judgments and typing judgments. 
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Definition 9. For any Fr I we define a set |Fr I] of valid judgments such 
that +} T € [tr I] if and only if T < T. For any Fr t: A we define a set 
[kre t: A] of valid judgments such that [+ t: A € |I Fr t: Al if and only 
ft T elkr T],t < tandA < A. 


We are now able to prove that it is possible to switch between two translations 
of a small type. 


Lemma 7 (Switching translations). Suppose that we have A a small type, 
THt:AEelrFrt:A] and F A’: TYPE € [I Fr A: TYPE] with T a small 
context. Then there exists t' such that T H} : A! € [I Fr t: A]. 


Proof. If v(A) € S, then A := A and A’ := A, and we take } := t. If v(A) € P, 
then v(A),v(A’) € P (this is similar for £). As A and A’ are two translations of 
A, we have A ~ A’. From Lemma [6] we have T xT + p: (Aly, A’[72]). Using 
Lemma [5] we obtain T F ply] : K(A, A’). Using eS there exists some 


transp p|yi2] t < t (since t < t) such that T F transp p[yi2] t: A’. 


4.4 Translation of Theories 


Now that we have translated terms and judgments, we want to translate the- 
ories, so that the translation of every provable judgment in the source theory 
is provable in the target theory. The target theory T°” = Xpre U Neg U Xr is 
obtained by adding the axioms of equality to the signature, and by translating 
Xr. To do so, we translate each typed constant and rewrite rule one by one. At 
the end, the rewrite rules of Xy have been replaced by equational axioms. 

The paramount result of this paper is the following theorem. The first item 
concerns context formation. The second item is about the translation of typing 
judgments. The third item focuses on convertible contexts. The fourth and fifth 
items are about the conversion rules. It is worth noting that in the second item 
we use the universal quantifier on T instead of using the existential quantifier. We 
have opted for the universal quantifier so we can obtain the induction hypotheses 
for a common context. 


Theorem 1 (Elimination of the rewrite rules). Let a theory T = X in 
AIT /= such that T is a theory with prelude encoding and such that all the deriva- 
tions considered are small derivations. There exists a signature Sz < Xr such 
that the theory T° = Myre U Xeq U r satisfies: 


1. Ife I, then there exists T € [Fr T]. 

2. IFT Fr t: A, then for every F T € [fr T] there exist t and A such that 
Tht!:Ae[Pret: Al. 

3. If (Fe Ti) = (Fr To), then for every F Py € [Fr Ii] and F T3 € [Fr To], 
we have Ii x Io. 

4. If (Ty FR u : Aı) = (I> FR ug: Ag) with Ti Fr A, : TYPE and Ibn kr 
Ag : TYPE, then for every F I, € [kr D] and F T € [Fr T], we have 
ry Fū: A € [re u : A] and Ta F tg: Ao € [Ia Fr u2 : Aa] and 
there exists some p such that T1 x T F p: mfy] Ail A22] taļy2]. 
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5. If (Ti Fr u1 : TYPE) = (I> Fr u2 : TYPE), then for every! Ti € [Fr A] 


and F To € [Fr Ia], we have Ti + Tı : TYPE € |I; Fr u1 : TYPE] and 
Tə F ū : TYPE € [I> Fr ug : TYPE] and there exists some p such that 
Dix IF p: sf], u2f2]). 


Proof. The proof of the five items is done by induction on the typing derivations, 
assuming the existence of Xy. We show three relevant cases. 


— PROD: 


T Fr A: TYPE Tix: Afr B:s 
TR H:A. B:s 


Take + T € [Rr T]. By induction hypothesis, we have T H A : TYPE € 
[I Fr A: TYPE]. We have (T,x : A) < (T, : A) and we know that the 
only translation of sort s is itself, therefore by induction hypothesis we have 
T,x: AF B:se|l,x:AFr B:s]. We conclude that [+ Hz: A. B:s 
using the PROD rule. 


Conv: 
Thrt:A (CFR A:s)=(I Fr B:s) 
TFRt:B 


Take + T € [He I]. As we consider small derivations, either A is a small 
type or A and B are the same type. 

If A is a small type, then by induction hypothesis we have [x I + p: 
k(A[yi], B[y2]). By Lemma |5| we obtain T H p[yi2] : K(A, B). By Lemma [7] 
and induction hypothesis we have I H t: A € |I Fr t : A]. Thanks to 
Lemma [2] there exists some {' such that T F #: Be [I Fr t: B]. 

If A and B are the same type, then no conversion is needed and the result 


is simply given the induction hypothesis T F ¢: A. 


CONVREFL: 
FhrrRu:A 
(CFR u: A)=(IT Fru: A) 


Take F T € [Fr T]. By induction hypothesis, we have T Hū: A € [|I Fr 
u: Aj. 

If IT FR A: TYPE, then we build T xT F p: uly] ~ uly] using all the 
congruence rules of ~. 

We proceed similarly for the case A = TYPE. 


The existence of Xy is proved by induction on the length of Xy, using the 


previous five items and () < (). 


Corollary 1 (Preservation). IfFr t: Aandt A:s€]FRr A:s], then there 
exists t such that t : A. 
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Proof. By Theorem [1] we have H ¥ : A’ € [Fr t: Al. Using Lemma [7] with 
A := A, we have some ¢ such that F t: A € [Fr t: Al. 


We directly derive the two following conservativity and consistency results. We 
say that a theory 72 is conservative over a theory 7; when every formula in the 
common language of Ji and 72 that is provable in 72 is also provable in Fi. 


Corollary 2 (Conservativity). T is a conservative extension of T°”. 


Corollary 3 (Relative consistency). If T°” is consistent then T is also con- 
sistent. 


5 Conclusion 


Discussion. In this paper, we showed that it is possible to replace user-defined 
rewrite rules by equational axioms, in the case of the AJJ-calculus modulo the- 
ory. This result works for theories with prelude encoding—which is satisfied 
by expressive theories such as predicate logic and set theory—and for small 
derivations—which is in practice the case. So as to replace rewrite rules by equa- 
tional axioms, we have defined a heterogeneous equality with standard axioms— 
reflexivity, symmetry, transitivity, Leibniz principle—and congruences for each 
constructor. At the end, the theory with rewrite rules is a conservative extension 
of the theory with axioms. 


Related work. The similar problem of the translation from an extensional sys- 
tem to an intensional system has been investigated by Oury [19]. He proposed 
a translation from the Extensional Calculus of Constructions to the Calculus 
of Inductive Constructions with additional axioms that define a heterogeneous 
equality. Winterhalter, Sozeau and Tabareau provided a translation from exten- 
sional type theory to intensional type theory [23/24]. They took advantage of 
the presence of dependent pairs to encode a heterogeneous equality, unlike Oury 
who defined it with axioms. 

In this paper, we have shown the existence of a translation from a theory with 
rewrite rules to a theory with equational axioms. Technical challenges appear 
as we are not in an extensional type system. In particular, Oury and Winter- 
halter et al. had a homogeneous equality in their source theory and introduce 
a heterogeneous equality in the target theory. In this work, the source theory 
does not contain a homogeneous equality, and the target theory only contains a 
heterogeneous equality. 

The major difference with previous works is that we are in a logical frame- 
work without an infinite hierarchy of sorts s; : 5;,1 for i € N. In AJZ/=, we only 
have TYPE : KIND, which is the reason why we cannot define an equality between 
types. As such an equality is of paramount importance in the transports, we have 
considered a subclass of types—called small types—for which we can define an 
equality. However, it is worth noting that the sorts of AH /= allowed a simplifi- 
cation: by construction, there is no transports on types, so the translation of a 
dependent function type is directly a dependent function type. 
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Abstract. To better understand Barendregt’s genericity for the untyped 
call-by-value A-calculus, we start by first revisiting it in call-by-name, 
adopting a lighter statement and establishing a connection with contextual 
equivalence. Then, we use it to give a new, lighter proof of maximality 
of head contextual equivalence, i.e. that H* is a maximal consistent 
equational theory. We move on to call-by-value, where we adapt these 
results and also introduce a new notion dual to light genericity, that we 
dub co-genericity. Lastly, we give alternative proofs of (co-)genericity 
based on applicative bisimilarity. 


Keywords: lambda-calculus - semantics - call-by-value. 


1 Introduction 


Barendregt’s genericity lemma |14, Prop. 14.3.24] is a classic result in the theory of 
the untyped A-calculus. It expresses the fact that meaningless terms—also called 
unsolvable terms, a notion generalizing the bad behaviour of the paradigmatic 
looping term N := (Ax.xxr)(Ax.xx)—are sort of black holes for evaluation: if 
evaluation should ever enter them, it would never get out. This is specified 
somewhat dually, saying that if a term t containing a meaningless term u evaluates 
to a normal form, that is, if t is observable, then replacing u with any other term 
in ¢ gives a term t that is also observable. Roughly, if one can observe a term 
containing a black hole then evaluation never enters the black hole. 

Genericity is arguably more than a lemma, but it is so labeled because its 
main use is as a tool in Barendregt’s proofs of collapsibility of meaningless terms, 
that is, the fact that the equational theory H equating all meaningless terms 
is consistent, i.e. it does not equate all terms. Such collapsibility is one of the 
cornerstones of the semantics of the untyped A-calculus. 


Recap about Meaningless Terms. Meaningless terms were first studied in the 1970s, 
by Wadsworth [45,46] and Barendregt [12,13], while working on denotational 
models and the representation of partial recursive functions (PRFs). The starting 
point is that the natural choice of representing the being undefined of PRFs— 
considered as the paradigmatic meaningless computation—with terms not having 
a normal form leads to a problematic representation of PRFs. The issue is visible 
also at the equational level, as all theories collapsing all diverging terms are 
© The Author(s) 2024 
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inconsistent. Wadsworth and Barendregt then identify the class of unsolvable 
terms as a better notion of meaningless terms: the representation of PRFs using 
them as undefined terms is better behaved, they are collapsible, and in particular 
they are identified in Scott’s first Deo model of the untyped A-calculus. 
Unsolvable terms are defined via a contextual property, but they are also 
characterized as being diverging for head -reduction — , rather than plain 
-reduction +g. The dual notion of solvable terms, which are terminating for 
head reduction, are taken as the right notion of defined term, replacing the natural 
but misleading idea that $-normal forms are the right notion of defined term. 
Barendregt classic book from the 1980s [14] is built around the concept of 
(un)solvability. Visser and Statman noted that (un)solvability is not the only 
partition of terms providing good representations of PRFs and being collapsible, 
as summarized by Barendregt [15]. Typically, (in)scrutable terms, first studied 
by Paolini and Ronchi della Rocca [38,36,41] (under the name (non-)potentially 
valuable terms), provide an alternative good partition. In call-by-name (CbN), 
(in)scrutable terms correspond to weak head normalizing/diverging terms. 


This Paper. The work presented here stems from the desire to obtain genericity 
for the untyped call-by-value -calculus. Perhaps surprisingly, the call-by-value 
(shortened to CbV) A-calculus behaves quite differently with respect to meaning- 
less terms. Accattoli and Guerrieri’s recent study of meaningless terms in CbV [6] 
indeed stresses two key differences: genericity fails in CoV, and collapsibility fails 
as well, as any equational theory equating CbV meaningless terms is inconsistent, 
if one considers as meaningless the CbV analogous of unsolvable terms. Accattoli 
and Guerrieri also show that collapsibility can be recovered by adopting a different 
notion of meaningless terms, namely CbV inscrutable terms, but they do not 
prove genericity for them. 

In this paper, we do prove a genericity result for inscrutable terms, and also 
provide a new proof of their collapsibility. These results, however, are only a 
small part of the contributions of this paper. 


Contribution 1: the Very Statement of Genericity. We start by focussing on the 
statement of genericity. The literature contains various versions. The one used 
by Barendregt for proving collapsibility is the following (where unsolvable terms 
are identified with —,-diverging terms), here dubbed as heavy: 


Heavy genericity: let u be >y-diverging and C be a context such that 
C(u) +n with n B-normal. Then, Cit) >} n for all t. 


In Takahashi’s elegant proof of heavy genericity [44]—which is an inspiration for 
our work—the following statement is called fundamental property of unsolvable 
A-terms, which we here consider as an alternative, lighter statement for genericity: 


Light genericity: let u be +y-diverging and C be a context such that C(u) is 
n-normalizing. Then, C(t) is >n-normalizing for all t. 


We adopt the lighter statement as the proper one for genericity for three reasons: 
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1. Powerful enough. We show that the collapsibility of unsolvable terms follows 
already from the light notion: there is no need to consider reductions to 
G-normal form, nor the fact that the normal forms of C(u) and C(t) coincide. 

2. Economical and natural. The light version involves less concepts and it is 
more in line with the motivations behind (un)solvability: if the right notion 
of defined terms is head normalizable terms, it is somewhat odd to state 
genericity with respect to 6-normal forms. 

3. Modularity. In CbV, it is less clear what notion of normal form to use for 
the heavy statement, as shall be explained below. The light version, instead, 
adapts naturally. It is also impossible to have a heavy form of the co-genericity 
property given below, since the involved terms have no (full) normal form. 


We then adapt Takahashi’s proof of heavy genericity to the light case. 


Contribution 2: (Open) Contextual Equivalence/Pre-Order. Once one adopts 
the light statement, a connection with contextual equivalence becomes evident. 
Precisely, consider the contextual pre-order (that is, the asymmetric variant of 
contextual equivalence) induced by head reduction: 


Head contextual pre-order: t X$ u if C(t) >-normalizing implies C(u) 
—n-normalizing, for all closing contexts C. 


Light genericity seems to rephrase that —,-diverging terms are minimum terms 
with respect to X}. There is however a small yet non-trivial glitch: contextual 
pre-orders /equivalences are defined using closing contexts, while genericity is 
defined using arbitrary, possibly open contexts. Is the closing requirement essential 
in the definition of contextual notions? To our knowledge, this question has not 
been addressed in the literature. In fact, there is no absolute answer for all cases, 
as it depends on the notion of observation and on the underlying calculus. 

We show that, for head reduction, open and closed contextual notions do 
coincide, what we refer to as the fact that head reduction is openable. As it is 
often the case with behavioral notions, proving head reduction openable cannot 
be done by simply unfolding the definitions, and requires some work. 

The proof that we provide is—we believe—particularly elegant. It is obtained 
as the corollary of a further contribution, the revisitation of another classic result 
from the theory of the untyped A-calculus, described next. 


Contribution 8: Maximality. Barendregt proves that open head contextual 
equivalence—what he denotes as the equational theory H*—is maximal among 
consistent equational theories, i.e. any extension of H* is inconsistent (moreover, 
H* is the unique maximum theory among those collapsing unsolvable terms). His 
proof uses Böhm theorem, an important and yet non-trivial result. We give a 
new proof based only on light genericity, which is an arguably simpler result than 
Bohm theorem, obtained adapting a similar result for CbV by Egidi et al. [19]. 


Contribution 4: Call-by- Value. Finally, we study the CbV case, adopting in- 
scrutable terms as notion of meaningless terms. In Plotkin’s original CbV calculus 
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[40], however, these terms cannot be characterized as diverging for some strategy. 
Moreover, in Plotkin’s calculus evaluation is not openable, that is, open and 
closed contextual notions do not coincide. In both cases, the issue is connected 
to the management of open terms. 

We then adopt Accattoli and Paolini’s value substitution calculus (VSC) [9], 
which is an extension of Plotkin’s calculus solving its well-known issues with open 
terms and having the same (closed) contextual equivalence. Therein, inscrutable 
terms are characterized as those diverging for weak evaluation —,. 

For the VSC, we prove light genericity for —,-diverging terms. We use a 
different technique with respect to the CbN case, namely we rely on Ehrhard’s 
CbV multi types [20] (multi types are also known as non-idempotent intersection 
types), because Takahashi’s technique does not easily adapt to the CbV case. We 
also give a proof of maximality (essentially Egidi et al. [19]’s argument used as 
blueprint for the CbN case) from which it follows that evaluation in the VSC is 
openable, in contrast with evaluation in Plotkin’s calculus. 

As hinted at above, it is relevant that in CbV we study light genericity rather 
than the heavy variant because the notion of full normal form in the CbV case is 
less standard. Firstly, it differs between Plotkin’s calculus and the VSC. Secondly, 
it also differs between various refinements of Plotkin’s calculus that can properly 
manage open terms, as discussed by Accattoli et al. [7]. 


Contribution 5: Co-Genericity. A difference between the head CbN case and 
weak CbV case is given by an interesting class of terms, those evaluating to an 
infinite sequence of abstractions, that is, such that t +% Az.’ with t having 
the same property. Such terms are —-diverging (thus head CbN meaningless), 
but —,-normalizing (CbV meaningful), and hereditarily so. We prove that these 
—>,-super (normalizing) terms are maximum elements of the CbV contextual 
pre-order, and the statement of this fact is a new notion of co-genericity: 


Co-Genericity: let t be +,-super and C be a context such that C(u) is 
>,-normalizing for some u. Then, C(t) is >,-normalizing. 


We then show a strengthened collapsibility result: all -,-diverging terms and all 
—,-super terms can be consistently collapsed. 


Contribution 6: Alternative Proofs via Applicative Bisimilarity. Lastly, we show 
a different route to proving light genericity and co-genericity—in CbV, but the 
technique is general—by exploiting the link with contextual pre-orders. Namely, 
we give a second proof that weak CbV evaluation is openable in the VSC 
without using light genericity, and then we use the soundness of CbV applicative 
bisimilarity with respect to the (closed) contextual pre-order for giving very 
simple proofs of light genericity and co-genericity. 


Related Work. There are many proofs of CbN genericity in the literature (but 
they do not all prove the same statement): a topological one by Barendregt [14, 


3 Sometimes, one finds the following genericity as application statement: let u be 
—n-diverging and s be such that su +3 n with n B-normal. Then, st >} n for all 
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Prop. 14.3.24], via intersection types by Ghilezan [24], rewriting-based ones by 
Takahashi [44], Kuper [30], Kennaway et al. [28], and Endrullis and de Vrijer [21], 
and via Taylor expansion by Barbarossa and Manzonetto [11]. Salibra studies a 
generalization to an infinitary \-calculus [43]. Garcia-Pérez and Nogueira prove 
partial genericity for Plotkin’s CbV A-calculus [23] using a different notion of 
meaningless terms, not as well-behaved as CbV inscrutable terms. 

The most famous application of genericity is the collapsibility of meaningless 
terms. Another application is Folkerts’s invertibility of terms for A7 [22]. 

Independently, Arrial, Guerrieri, and Kesner developed an alternative study 
of genericity in both CbN and CbV [10]. 


Proofs. Most proofs are omitted and can be found in the technical report [8]. 


2 Preliminaries 


In this paper, we consider two languages, the A-calculus and the value substitution 
calculus. Here we give abstract definitions that apply to both. We then refer to a 
generic language £ of host reduction >c C £ x £ together with an evaluation 
strategy discussed below. Terms of both languages are considered modulo a- 
renaming. Capture-avoiding substitution is noted t{r<u}. 


Evaluation Strategies. An evaluation strategy for us is a relation >,;C—, which 
is either deterministic or has the diamond property, which, according to Dal Lago 
and Martini [18], is defined as follows: a relation >, is diamond if u1 r+ t >, u2 
and u1 Æ u2 imply uy >, 8, u2 for some s. If >, is diamond then it is confluent, 
all its reductions to normal form (if any) have the same length, and if there is one 
such reduction from t then there are no diverging reductions from t; essentially, 
the diamond property is a weakened notion of determinism. 

We refer to a generic evaluation strategy with >, or simply with s, and 
we also simply call it a strategy, and usually we omit the underlying language. 
The conversion relation =, associated to a strategy s is the smallest equivalence 
relation containing + . We say that t is: 


— s-normal: if t As; 
— s-normalizing: if there exists u such that t +3 u and u is s-normal,; 
— s-diverging: if t is not s-normalizing. 


We say that s is: 


— Consistent: if there exist two closed terms t and u such that t is s-normalizing 
and u is s-diverging; 

— Normalizing: if t >% u with u s-normal implies that t is s-normalizing; 

— Stabilizing: if t s-normal and t =>% u imply u s-normal; 

— Weak: if there are no s-redexes under abstraction. 


t. Genericity as application is weaker than heavy/light genericity, and cannot be 
directly used to infer the collapsibility of + ,-diverging terms. 
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Contexts. An essential tool in our study shall be contexts, which are terms where 
a sub-term has been replaced by a hole (-). For instance, for the A-calculus 
they are defined as follows: C, C” := (-) | tC | Ct | Av.C. The basic operation 
on contexts is the plugging C(t) of a term t in C, which simply replaces (-) 
with t in C, possibly capturing variables. For instance, (Az.(-)) (ry) = Av.ry. 
Note that plugging cannot be expressed as capture-avoiding substitution since 
(Axz.z {zry} = Av’ ay A Ax.zy. 


Contextual Equivalences and Pre-Orders. The standard of reference for program 
equivalences is contextual equivalence. The following definition slightly generalizes 
the standard one as to catch also the open case studied in this paper. 


Definition 1 (Open and Closed Contextual Pre-Order and Equivalence). 
Given an evaluation strategy s, we define the open contextual pre-order XZ and 
open contextual equivalence ~%o as follows: 


— t Xéo ť if, for all contexts C, C(t) is s-normalizing implies that C(t’) is 
s-normalizing; 
— t “ĉo t is the equivalence relation induced by Xéo, that is, t “ġo U if 
t Zot and t! Zo t- 
The closed variants, simply called contextual pre-order X% and contextual equiv- 


alence ~6, are defined as above but restricting to contexts C such that C(t) and 
C(t’) are closed terms. We say that s is openable if Zo and X% coincide. 


It follows from the definitions that X25 CX, and similarly for the equivalences, 
while the other direction is not obvious, and can indeed fail. For instance, if p, 
is weak evaluation in Plotkin’s CbV -calculus (to be defined in Sect. 5) and 
6 := Az.zz then we have (2; := (Ax.6)(yy)6 RE 56 =: Q but 2% FP, N. That is, 


Pw is not openable. To our knowledge, the notion of openable strategy is new. 


(In)Equational Theories. A relation is compatible if t R u implies C(t) R C(u) 
for any context C and any terms t and u. A term t is minimum for a pre-order < 
if for all u € £, t < u. We denote abstract inequational theories with the symbol 
<7 to distinguish them from known program pre-orders, denoted with <p. 


Definition 2 (Inequational s-theory). Let s be an evaluation strategy. An in- 
equational s-theory <5 is a compatible pre-order on terms containing s-conversion. 
An inequational s-theory <5 is called: 


— Consistent: whenever it does not relate all terms; 
— s-ground: if s-diverging terms are minimum terms for <7; 
— s-adequate: if t <5 u and t is s-normalizing implies u is s-normalizing. 


The notions of s-ground and s-adequate theories generalize to an abstract and 
inequational framework the A-calculus notions of sensible and semi-sensible 
theories (whose non-abstract inequational versions are studied in particular in the 
recent book by Barendregt and Manzonetto [16]), up to a very minor difference: 
the definitions in the literature sometimes also ask for consistency which we treat 
independently. An equational theory is a symmetric inequational theory. 
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Remark 1. Any open contextual pre-order Xé, is s-adequate: if t Xo u then, by 
considering the empty context, t s-normalizing implies u s- normalizing. Closed 
contextual pre-orders, instead, are not necessarily adequate: for weak evaluation 
Pv in Plotkin’s calculus, Q; <% Q, Qı is py-normal, and 2 is p,-diverging. 


Lastly, we show under which conditions the contextual pre-orders XS, and 
Xé are consistent inequational s-theories. 


Proposition 1. Let L be a alba language and s be a normalizing and 
stabilizing strategy. Then Xéo and X% (resp. “$o and ~È) are Re 
(resp. equational) s-theories. a if s is consistent then Zgo, Re, Xto» 
and ~@ are consistent. 


3 Light Genericity and Collapsibility 


As working notion of genericity, we adopt the following abstract light version. 


Definition 3 (Light genericity). Let s be an evaluation strategy. Light s- 
genericity is the following property: if u is s-diverging and C is a context such 
that C(u) is s-normalizing, then C(t is s-normalizing i all t. Concisely: s- 
diverging terms are minimums for Xéo. Very concisely: [èo is s-ground. 


We now show that light genericity is enough to obtain the main application of 
Barendregt’s heavier notion, that is, that s-diverging terms can be consistently 
equated (when s is consistent, which is a very mild hypothesis verified by all 
strategies of interest), by showing that they are contextually equivalent. In both 
the closed and open variants, independently of whether the strategy is openable. 


Proposition 2 (Collapsibility). Let s be a consistent evaluation strategy sat- 
isfying light genericity. Then: 


1. Open: ~é6 equates all s-diverging terms and it is consistent; 
2. Closed: ~ equates all s-diverging terms and it is consistent. 


Proof. 1. By light genericity, s-diverging terms are minimums for Xé¢. Since 
then any two s-diverging terms are Xé-smaller than each other, s-diverging 
terms are ~@,-equivalent. Since s is consistent, ġo is consistent by Prop. 1. 

2. Since [ġo CRG, we obtain that light genericity implies that s-diverging terms 
are minimums for X%, and so ~% equates all s-diverging terms. Since s is 
consistent, ~@ is consistent by Prop. 1. 


Proposition 3 (Characterization of minimum terms for Xo). Let s be 
a consistent evaluation strategy satisfying light genericity. Then the minimum 
terms for Xéo are exactly the s-diverging terms. 


Proof. By light genericity, s-diverging terms are minimums for Xéo. Conversely, 
by eae of s there exists a s-diverging term t. Let u be a minimum for 
Zo. Then u XSo t, hence u is s-diverging by s-adequacy of Xo (given by 
Remark 1). 
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Fig. 1. Call-by-Name calculus. 


The characterization of minimum terms does not hold in the closed case, 
because the closed contextual pre-order is not necessarily adequate (Remark 1). 
For weak evaluation py in Plotkin’s calculus, indeed, (2; is a minimum term for 
Xf and it is p,-normal. The characterization lifts when s is openable. 


4 'The Head Call-by-Name Case 


Here we revisit two results from the theory of the \-calculus, and use them to 
prove that head evaluation is openable. The first result is genericity for unsolvable 
terms—that is, head-diverging terms—for which we give a proof of light genericity. 
The second result is the maximality of the open head contextual pre-order. 

The host language £ here is the A-calculus and the evaluation strategy s is 
the head strategy h. Both are defined in Fig. 1. 


Solvability and Head Reduction. In the literature, the original notion of meaningful 
terms are the solvable ones, characterized by Wadsworth as those terminating 
for head reduction [46]; meaningless terms are their complement. 


Definition 4 ((Un)Solvable terms). A term t is solvable if there is a head 
context H such that H(t) +3 I = Azx.x, and unsolvable otherwise. 


Theorem 1 (Operational characterization of solvability, [46]). t is solvable 
(resp. unsolvable) if and only if t is h-normalizing (resp. h-diverging). 


Apart from the proof of Thm. 4.1 below, we shall always use the operational 
characterization and never refer to solvability itself. 


Head Contextual Pre-Orders are Inequational. It is well-known that the à- 
calculus is confluent, that head normal forms are stable by reduction (that is, h 
is stabilizing), and that the following normalization theorem holds (for a recent 
simple proof of this classic result see Accattoli et al. [3]). These facts and Prop. 1 
give that the contextual pre-orders are inequational h-theories. 


Theorem 2 (Head normalization). [ft =>% t and t’ is h-normal then t is 
h-normalizing. 


Proposition 4. The head pre-orders XP and X? are inequational h-theories. 
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Proofs of Genericity. In his book [14], Barendregt gives two proofs that h- 
diverging terms can be consistently equated, both using heavy genericity (defined 
in the introduction). A first one [14, Lemma 16.1.8-thm 16.1.9] uses it to show 
that the minimal equational theory equating them, noted H, is consistent. This 
proof is where the heavy part of genericity is used. A second proof |14, Lemma 
16.2.3] exploits the consistency of ~2 (noted H* in [14]), which is trivial, and 
uses gencricity to show that H C~q, i.e. that Bo equates all h-diverging terms. 

The second proof in [14] uses heavy genericity, but the heavy aspect is in fact 
not needed for the proof to go through. The abstract result of the previous section, 
indeed, follows essentially the same reasoning and uses only light genericity. 

We now prove light genericity for head reduction, via a direct proof, using 
the rewriting properties of head reduction. 


Head Light Genericity via Takahashi’s Technique. Our proof of light genericity 
adapts Takahashi’s simple technique for heavy genericity [44]. We stress that two 
standard and crucial properties of head reduction are at work in Takahashi’s proof, 
despite the fact that she does not point them out, namely the head normalization 
theorem (Theorem 2) and the following property. 


Proposition 5 (Head substitutivity). If t >* u then t{a-s} >* u{a<s}, 
for all t,u, s. 


Firstly, we prove genericity for h-normal forms, via a simple induction on the 
structure of normal forms, using an auxiliary lemma [8, Lemma 4]. 


Proposition 6 (Normal genericity). Let u be h-diverging and s be any 
term. 


1. Ifr is a rigid term and r{x<u} is h-normalizing then r{x-s} is a rigid term. 
2. If h is h-normal and h{x<u} is h-normalizing then h{x<s} is h-normal. 


We can now prove (light) genericity, which is done in two steps. The first one 
simply lifts h-normal genericity to non-h-normal terms, obtaining a substitution- 
based version of genericity. The second one turns the substitution-based state- 
ment into a context-based statement, and its proof is what we shall refer to as 
Takahashi’s trick. For the sake of clarity, note that the two statements are not 
immediately equivalent, since substitution is a capture-avoiding operation while 
context plugging may capture free variables. 


Theorem 3 (Light genericity). Let u be h-diverging and s be any term. 


1. Light genericity as substitution: if t is a term and t{x<u} is h-normalizing 
then t{x~s} is h-normalizing. 

2. Light genericity as context: if C is a context and C(u) is h-normalizing then 
C(s) is h-normalizing. 


Proof. 1. It follows from Prop. 5 (precisely, via a lemma in [8, Lemma 4]), 
that if t{v-u} is h-normalizing then so is t. Then t > h for some h- 
normal h. Again, by stability of head reduction under substitutions, we 
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have both t{x-u} >f h{x<u} and t{x<s} =ý h{x-s}. Note that t{a-u} 
h-normalizing implies h{a-u} h-normalizing. By normal genericity (Prop. 6), 
h{a<s} is h-normal. Therefore, t{a<s} is h-normalizing. 

2. Let fv(u) Ufv(s) = {z1,..., £k}, and y be a variable fresh with respect to 
fv(u) Ufv(s) Ufv(C) and not captured by C. Note that @ := Axı... . A£p-U 
is a closed term. Consider t := C(yx,...x,), and note that: 


t{y tu} = C (uzi... £k) = C((A£1.... A£p-U)T1. Ek) >} C(u). 


The fact that u is h-diverging implies that ū is also h-diverging. If C(u) 
is h-normalizing then so is t{y-t} by the h-normalization theorem (Theo- 
rem 2). By genericity as substitution, t{y<s’} is h-normalizing for every s’. 
In particular, take s’ := 5 = Azı... . A£p.s, then t{y—5} h-normalizes to some 
h and note that t{y-s} =% C(s}. Since 6 is confluent and h is stabilizing, 
there exists a h-normal form A’ such that h —% h’ and C(s) =>} h’. By the 
h-normalization theorem (Theorem 2), C(s} is h-normalizing. 


Maximality of Xo. Barendregt shows that ~o is a maximal consistent theory, 
that is, that equating more terms would yield an inconsistent pheOry [i4, Thm 
16.2.6]. Later on, Barendregt and Manzonetto refine the result for Zgo [16], by 
using the same technique, which relies on Böhm theorem. We present here a 
new proof of maximality based only on light genericity and not needing Böhm 
theorem, which is a heavier property, thus obtaining an arguably simpler proof. 
It is inspired by the proof of maximality for CbV by Egidi et al. [19]. 


Theorem 4. 1. Let T be an inequational h-theory that is h-ground but not 
h-adequate. Then T is TTS 
2. Maximality of XBo: X26 is a maximal consistent inequational h-theory. 


Proof. 1. Since 7 is not h-adequate, there are t h-normalizing and u h-diverging 
such that t <y u. Since t is h-normalizing, by solvability there is a head 
context H sending it to the identity I. By the definition of inequational 
theory, we have I =y H(t) <r H(u). Now, let s be a term. Then s =y Is 
because =gC T by definition of inequational theory. By the context closure 
of theories and I <7 H(u), we obtain Is <y H(u)s. Since u is h-diverging, 
thus unsolvable, H(u) is h-diverging. Since 7 is h-ground and both H(u) 
and H(u)s are h-diverging, H(u)s =r H(u). Summing up, s =y Is <7 
H(u)s =r H(u) and, by the fact that 7 is h-ground, H(u) <7 s. Hence, 
s =r H(u) for every term s, that is, 7 is inconsistent. 

2. Any theory 7 extending gi is such that t <7 u with t Zo u, i.e. such that 
C(t) is h-normalizing and C (u) is h-diverging for some C. By compatibility of 
T, C(t) <7 C(u). Hence T is not h-adequate. Since Sto} i h-ground by head 
light genericity (Theorem 3), every theory T extending X?, is also h-ground. 
Then 7 is h-ground and not h-adequate. By Point 1, 7 is inconsistent. 


Mazimality and A ead is Openable. From maximality of X$q it elegantly follows 
that X$. and X% coincide. To our knowledge, there is no such result in the 
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Fig. 2. Plotkin’s CbV and Weak Evaluation p,. 


literature but it is folklore for CbN. Note that, despite the apparently trivial 
proof that we provide below, the equivalence of X?. and X@ is not a trivial fact, 
as the crucial inclusion X®8 C $o cannot be proved directly from the definitions 
of the pre-orders—in oak proof, the non-trivial aspect is encapsulated in the 
use of maximality. Paolini proves that closed theories can be uniquely extended 
to open terms [37], but this does not imply that the extension of the closed 
contextual pre-order coincides with the open contextual pre-order. 


Proposition 7 (Head evaluation is openable). Open and closed head con- 
textual pre-orders coincide: X$o =X3. 


Proof. Firstly, X36 C X® follows from the definitions. Secondly, by maximality 
of XB (Theorem 4) and since X@ is consistent (because I Z% (2), we have that 
the two pre-orders must B ie. [o= Zt. 


5 Weak Call-by-Value and the VSC 


We now turn our attention to the CbV case, for which the literature has already 
extensively discussed two issues that arise when adapting the CbN case to 
Plotkin’s CbV A-calculus, recalled after the definition of the calculus. 


Plotkin’s Cb V A-Calculus. Plotkin’s CbV A-calculus is defined in Fig. 2, following 
the modern presentation by Dal Lago and Martini [18] rather than Plotkin’s 
original one [40]. We also define its weak evaluation strategy —p,- 


Issue 1: ChV Unsolvable Terms Are Not Collapsible. As pointed out by Accattoli 
and Guerrieri [6], the CbV variant of unsolvable terms is not a good notion 
of meaningless terms, as their identification induces an inconsistent equational 
theory. The solution amounts to switching to a different notion of meaningless 
terms, the inscrutable ones (that coincide with the non-potentially valuable terms 


of Paolini and Ronchi della Rocca [38,36,41]), which are collapsible [6]. 


Definition 5 (Testing contexts). Testing contexts are defined by the following 
grammar T = (-) | (Ax.T)t | Tt. 


Definition 6 ((In)Scrutable terms). A term t is scrutable if there is a testing 
context T and a value v such that T(t) +% v, and inscrutable otherwise. 
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Fig. 3. Weak Value Substitution Calculus. 


Issue 2: CbV Inscrutable Terms Have No Operational Characterization in Plotkin’s 
CoV. The term Q, := (Az.d)(yy)06 is inscrutable but —,-normal. Therefore, in 
Plotkin’s CbV there cannot be any operational characterization of inscrutable 
terms via a notion of divergence, as instead happens in CbN (Thm. 1). This 
fact is a real drawback, and boils down to the well-known inability of Plotkin’s 
calculus to deal with open terms, which is also the reason why—as we have 
pointed out in Sect. 2—the closed and open contextual notions induced by weak 
evaluation in Plotkin’s calculus do not coincide. 

The solution amounts to switching to a refined CbV A-calculus, extending 
Plotkin’s as to better deal with open terms while retaining the same notion of 
contextual equivalence, as we now explain. 


The VSC. Accattoli and Paolini’s value substitution calculus (VSC) [9], defined 
in Figure 3, is exactly one such framework. 

Intuitively, the VSC is a CbV A-calculus extended with let-expressions, as is 
common for CbV A-calculi such as Moggi’s one [33,34]. We do however replace a 
let-expression let x = u in t with a more compact ezplicit substitution (ES for short) 
notation t[z~u], which binds x in t and that has precedence over abstraction and 
application (that is, Ax.t/y-u] stands for Ax.(t[y—u]) and ts[y-u] for t(s[y<ul)). 
Moreover, our let/ES does not fix an order of evaluation between ¢ and u, in 
contrast to many papers in the literature (e.g. Sabry and Wadler [42] or Levy et 
al. [32]) where u is evaluated first. 

The reduction rules of VSC are slightly unusual as they use contexts both 
to allow one to reduce redexes located in sub-terms, which is standard, and to 
define the redexes themselves, which is less standard—these kind of rules is called 
at a distance. The rationale is that the rewriting rules are designed to mimic cut- 
elimination on proof nets, via Girard’s CbV translation (A > B)” =!(A” — B”) 
of intuitionistic logic into linear logic [25], see Accattoli [2]. 
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Examples of steps: (Ax.y)[yctlu Om y[x—ul[y-t] and (Az.xx)[a-y[yt]] >e 
(Az.yy) [yt]. One with on-the-fly a-renaming is (Av.y)[y tly Om 2[a<y][z<t]. 

A key point is that 5-redexes are decomposed via ESs, indeed ++, is simulated 
as (Ar.t)v Hm tlc] He t{aev}. Note that the by-value restriction is on ES- 
redexes, not on -redexes, because only values can be substituted. The VSC is 
a conservative refinement for both closed and open terms: its weak evaluation 
on closed terms terminates if and only if Plotkin’s —+,, does, hence the closed 
contextual pre-orders coincide (Prop. 8.3 below). On open terms, the VSC can 
simulate every —>p, step, but not vice-versa (which is why we adopt the VSC). 


The Characterization of Inscrutable Terms. In the VSC, (in)scrutable terms 
admit an operational characterization, due to Accattoli and Paolini [9]. 


Theorem 5 (Operational characterization of (in)scrutability, [9]). t is 
scrutable (resp. inscrutable) if and only if t is w-normalizing (resp. w-diverging). 


Apart from the proof of Thm. 8 below and Prop. 15 in Section 10, we shall 
always use the operational characterization and never refer to scrutability itself. 


Weak Contextual Pre-Orders Are Inequational. The VSC is confluent and its 
weak strategy w is diamond [9]. Moreover, w is stabilizing and the normalization 
theorem below holds. These facts and Prop. | give that the contextual pre-orders 
are inequational w-theories. Moreover, the closed pre-order coincides with the 
one on Plotkin’s calculus’. 


Proposition 8. 1. Weak normalization, [6]: ift >%,, t and t’ is w-normal then 
t is w-normalizing. 
2. Inequational theories: Zgo and Xë are inequational w-theories. 
3. VSC and Plotkin’s contextual pre-orders coincide, [6]: on \-terms, 38=ZX2" 


IN NC’ 


6 Light Genericity for Weak Call-by-Value 


Here, we prove a new result: light genericity for weak evaluation in the VSC. 


Takahashi’s Technique Does Not Really Scale Up. Proving CbV light genericity 
via Takahashi’s technique is not as elegant as for CbN. We did develop such 
a proof, but it is considerably more involved than for CbN. There are various 
reasons. Firstly, the substitutivity property of Prop. 5 does not hold in CbV. 
Substitutivity for values does hold, but one really needs general substitutivity. 
Secondly, Takahashi’s trick lifting genericity as substitutions to genericity as 
contexts also breaks, because it is based on adding abstractions, which do not 
change unsolvability but do affect inscrutability. Thirdly, head reduction reduces 
only on the head, while weak reduction reduces in all sub-terms out of abstractions, 
which raises additional difficulties. Therefore, we follow a different approach. 


t The closed CbV contextual pre-order in Carraro and Guerrieri’s shuffling calculus 
[17], studied by Kerinec et al. in [29], also coincides with X2=<X?. Moreover, the 
open pre-order of the shuffling calculus coincides with the one of the VSC. These 
facts follow easily from results relating the three calculi in [26,4,6]. 
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Fig. 4. Call-by-Value Multi Type System for VSC. 


Light Genericity via Multi Types. We provide a proof of light genericity relying on 
Accattoli and Guerrieri’s characterization of w-diverging terms [6] via Ehrhard’s 
CbV multi types [20] (multi types are also known as non-idempotent intersection 
types). The idea behind the proof is very simple: we show that multi types induce 
a pre-order Xjype contained in the open contextual pre-order, that is, Stype Cto; 
and that w-diverging terms are minimum elements for type, which implies that 
they are minimums for ġo. The proof itself is very simple as well. What is less 
simple is the characterization of w-diverging terms via multi types, which however 
we use as a black box from the literature. The same technique can be used also 
in CbN, since h-diverging terms can also be characterized via multi types. 

Our argument via multi types is similar to Ghilezan’s one based on intersection 
types for CbN [24], even if the details are quite different: she proves a different 
statement, namely heavy genericity in its as-application variant (see the footnote 
at page 5), and she uses intersection types (which are idempotent, or non-linear). 
We use multi types because the result from the literature that we exploit is based 
on them, but the proof technique could also be based on intersection types (once 
the result from the literature is adapted, which is possible). 


CoV Multi Types. We introduce the bare minimum about CbV multi types, since 
here they are used only as a tool, not as an object of study. For more, see [5,6]. 

The definition of the multi type system for the VSC is in Figure 4. Multi types 
M are defined by mutual induction with linear types L. Multi types are finite 
multi-sets [[1,..., Ln], which intuitively denote the intersection Lı N... N Ln, 
where the intersection N is a commutative, associative and non-idempotent 
(AN A £ A) operator, the neutral element of which is [ ], the empty multi set. 
Note that there is no ground type, its role is played by the empty multi type | ]. 

Typing judgments have shape I’ H t:T where T is a linear or a multi type 
and I" is a typing context, that is, an assignment of multi types to a finite set of 
variables (I = zı: Mı,..., £n: Mn). A typing derivation 7 > IH t:M is a tree 
built from the rules in Figure 4 which ends with the typing judgment I F ¢:M. 


Typing Rules. Linear types only type values, via the rules ax and à. To give a 
multi type to value v, one has to use the many rule, turning an indexed family of 
linear types for v into a multi type. Note that any value can be typed with the 
empty multi type | ]. The symbol w is the disjoint union operator on multi sets 
(corresponding to the intersection operator when intersections are multi-sets). 
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Characterization of Termination. The key property of CbV multi types is that 
typability characterizes termination with respect to weak evaluation —,,; therefore 
w-diverging terms are simply the untypable ones. The characterization is proved 
via subject reduction and expansion. 


Theorem 6 (Characterization of termination, [6]). 


1. Subject reduction and expansion: let t >ysc u. Then DF t:M if Fr u:M. 
2. t is >y-normalizing if and only if there exists I and M such that T} t:M. 


Type Pre-order. The type pre-order is defined as follows. 


Definition 7 (Type pre-order). The type pre-order t Xiype t holds if I = t: M 
implies [+ t':M for all IT and M. 


Point 2 of Thm. 6 ensures that Xjype is both w-ground—which is the key 
point of the proof technique—and w-adequate. We also show that type is an 
inequational w-theory. Point 1 of Thm. 6 implies that Z type contains w-conversion. 
Compatibility holds because Rtype is defined via a compositional type system. 


Proposition 9. The type pre-order Xiype is a w-ground, w-adequate, and con- 
sistent inequational w-theory. 


Adequacy and compatibility of Styne imply that StypeCRéo, hence minimum 
elements of Xtype are minimum for Zgo. 


Theorem 7. Light genericity for w: [bo is w-ground. 


7 CbV Maximality 


Here, we use light genericity to prove maximality of Xé and the fact that w is 
openable, adapting the proofs for the head case. 


Mazximality of Séo. The following result adapts to our setting a result of Accattoli 
and Guerrieri [6, Thm 6.5], itself adapting a result by Egidi et al. [19, Prop 35]. 


Theorem 8. 1. Any w-ground inequational theory T that is not w-adequate is 
inconsistent. 
2. Maximality of Xo: co is a maximal consistent inequational theory. 


Proof. 1. Since T is not w-adequate, there are t w-normalizing and u w-diverging 
such that t <y u. Since t is w-normalizing, t is scrutable, that is, there is a 
testing context T sending it to a value v. By the definition of inequational w- 
theory, we have v =r T(t) <7 T(u). Now, let s be a term and y ¢ fv(s). Then 

=y (Ay.s)v because =,,-C=7 by definition of inequational theory. By the 
compatibility of theories and v <7 T (u), we obtain (Ay.s)u <r (Ay.s)T(u). 
Since u is w-diverging, thus inscrutable, T(u) is also w-diverging. Since T is 
w-ground and both T(u) and (Ay.s)T'(u) are w-diverging, (Ay.s)T (u) =r T(u). 
Summing up, s =7 (Ay.s)v <r (Ay.s)T(u) <r T(u) and, since T is w-ground, 
T(u) <r s. Hence, s =y T(u) for every term s, that is, T is inconsistent. 


Light Genericity 39 
2. From Point 1 and CbV light genericity (Thm. 7.3), as in the head case. 


The proof of Thm. 8.1 is similar to the one of the CbN case, but it is not the 
same argument: the CbN one relies on solvability, reduction to the identity, and 
head context closure; the CbV one relies on scrutability, reduction to a value, a 
different context closure, and on the fact that diverging arguments cannot be 
erased in CbV. Therefore, our proofs of maximality cannot be done abstractly. 

The fact that weak evaluation is openable then follows as in the head case. 


Proposition 10 (Weak evaluation is openable in the VSC). Open and 


closed weak contextual pre-orders coincide: Xéo =X. 


8 Co-Genericity 
Here, we study a new notion dual to light genericity, which we dub co-genericity. 


s-Super Terms. In the A-calculus (both in CbN and CbV) there are terms 
reducing to an infinite sequence of abstractions using strong evaluation. For 
instance, let 6) := Av.Ay.cx, then 2) := 6,4) is one such term. Indeed its weak 
evaluation gives 2) ++, Ay.2,. Now, the new copy of 2, shall itself (strongly) 
reduce to Ay.{2,, and so on, producing Ay.Ay.Ay..... Such a behavior, when seen 
with respect to weak evaluation, is a form of hereditary, or super normalization. 

Note that the example can be generalized by using py = A£. Ayı... . AYk- LT 
instead of 6), obtaining a family of terms ka := 64,64 all producing infinitely 
many head abstractions and with no (finite) reduct in common. As for meaningless 
terms, it is natural to wonder whether these super meaningful terms can all 
be consistently collapsed. In the literature, super terms appear in weak CbN 
as maximum (T) elements in Lévy-Longo trees [31]—but we are not aware of 
a proof that these T-enriched Lévy-Longo trees induce a consistent equational 
theory—and in the hierarchy of unsolvable terms [35,1] as unsolvable terms of 
order oo. In CbV, we believe that super terms have not been studied. 

Here we connect the collapsibility of super terms to a sort of dual variant 
of light genericity. We start by setting up the concept of super normalization 
abstractly. It is specific to weak strategies and makes sense also for weak CbN. 


Definition 8 (s-super terms). Let s be a weak strategy. A term t is s-super 
(normalizing) if, co-inductively, t > rx.t' and t is s-super. 


Co-genericity is the property stating that s-super terms are maximum elements 
for čo, that shall be captured by the following notion of being s-roof. As 
expected, a term t is maximum for a pre-order < if for all u € L, u < t. 


Definition 9. Let s be a weak strategy. An inequational s-theory <5 is called: 


1. s-roof: if s-super terms are maximum terms for <}; 
2. Super s-adequate: ift <> u and t is s-super entails u is s-super. 
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Definition 10 (Co-genericity). Let s be a weak strategy. Co-s-genericity is 
the following property: if u is s-super and C is a context such that C(t) is s- 
normalizing for some t, then C(u) is s- normalem. Concisely: s-super terms are 
maximum for čo. Very concisely: Seo is s-roof. 


Note that there cannot be a heavy co-genericity property mentioning strong 
normal forms because s-super terms are diverging for strong s-evaluation, by def- 
inition. Co-genericity is thus enabled by the switch from heavy to light genericity. 

As for light genericity, co-genericity is enough to prove that s-super terms 
can be consistently equated (as soon as s is consistent). 


Proposition 11 (Coenllapsibility). Let s be a consistent weak strategy 
satisfying co-genericity. Then ~éo equates all s-super terms and it is consistent. 


A weak strategy s is super consistent if there exists a s-super term. 


Proposition 12 (Characterization of maximum terms for Xo). Let 
s be a super consistent weak strategy satisfying co-genericity. If Xéo is super 
s-adequate then the maximum terms for čo are exactly the s-super terms. 


Proof. By co-genericity, s-super terms are maximal for X%5. For the other 
direction, let t be a s-super term, which exists by super consistency of s, and let 
u be maximal for Xéo9. Then t <8 co u. By super s-adequacy, u is s-super. 


The two following sections present independent proofs of co-genericity for 
weak evaluation in the VSC. We do not use multi types for good reasons: w-super 
terms are not maximum for Xtype, see the technical report [8, Prop. 18]. 


9 CbV Co-Genericity via Takahashi’s Technique 


In this section, we prove co-genericity for weak evaluation in the VSC adapting 
Takahashi’s technique for genericity. 


Co-Genericity via Normal Forms. The proof of co-genericity for CbV is based 
on a key property of w-super terms with respect to w-normal forms, akin to 
the normal genericity lemma of the CbN case. Then co-genericity follows via 
Takahashi’s trick, which is not problematic here, since w-super terms are stable 
by adding head abstractions. Another difficulty arises in CbV, however, which is 
discussed in the technical report [8, p.27| before the proof of the following lemma. 


Lemma 1 (Key property of w-super terms). Let s be a w-super term. If 
n is aw-normal form then n{x<s} is w-normalizing. 


As CbV evaluation only validate value-substitutivity (substitutivity restricted 
to values: if t >, u then for all v t{a-v} >, u{x<v}), the statement of co- 
genericity as substitution is split into two points. 

Lemma 2 (Co-genericity). Let u be any term, s be aw-super term, v be 
any value, and v’ be a w-super value. 
1. Co-genericity as v-substitution: if t{x—v} is w-normalizing then so is t{acvu'}. 
2. Co-genericity as substitution: if t{a—u} is w-normalizing then so is t{x<s}. 
3. Co-genericity as context: if C(u) is w-normalizing then so is C(s}. 
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Super w-Adequacy for ġo. Co-genericity states that w-super terms are maximal 
for S$. For the full characterization (Prop. 12), we need super adequacy and 
super consistency. Super consistency is easily verified as (2) exists. 


Proposition 13 (Super w-Adequacy). 


1. Super adequacy: ġo is super w-adequate. 
2. Characterization of maximum terms for X36: maximum terms for Zo are 
exactly w-super terms. 


10 CbV (Co-)Genericity via Applicative Similarity 


In this section, we present alternative proofs of genericity and co-genericity 
for weak evaluation in the VSC. We use a well-known tool developed to study 
Plotkin’s CbV contextual equivalence ~}, namely the CbV variant [27,39] of 
Abramsky’s applicative (bi)similarity [1]. 

The following definition differs slightly from the literature on two points. 
Firstly, we use a well known equivalent definition that does not ask that the 
results of evaluation are similar (which is a fact needed for the definition of 
applicative simulations, but not for applicative similarity). Secondly, we replace 
Plotkin’s CbV by the VSC, which are equivalent for closed terms. 


Definition 11 (Applicative similarity [1]). Applicative similarity t Z% g u 
is the relation on closed terms defined by: if tvi... Un is w-normalizing then 
uv... Un is w-normalizing, for alln E€ N and v,,...,Un closed onn: Applicative 
smalariiy is extended to open terms via closing DSTA: t So u ifto 4g 
uo for all substitutions of values o closing t and u. 


From the following lemma, it follows easily that w-diverging and w-super terms 
are minimum and maximum for 3% 


Lemma 3. Ift is w-diverging (resp. w-super) then so are t{x<v} and tv. 


Proposition 14. 1. Minimums: w-diverging terms are minimum for X% g- 
2. Maximums: w-super terms are maximum. for Z% g- 


Proof. 1. Let t be a w-diverging term and u any term. Then by Lemma 3, for 
any closing substitution o of t and u and for any n and any vj,..., Un we still 
have that to v1,...,Un is w-diverging. Hence t <4, u for any term u, that is, 
t is a minimum term for [4 s- 

2. Let t be a w-super term and u any term. For any closing substitution ø of t 


and u and for any n and values v1,...,Un, either uo v1,..., Un is w-diverging 

Or UO V1,...,Un IS w-normalizing. In both cases, by Lemma 3, we still have 
: he z 

that to v1,..., Un is w-super, hence w-normalizing. Thus, u X%4q t. 


Proving (co-)genericity amounts to show that the results of the previous 
proposition transfer to ġo. This can be done by showing 3% 5CX%o via: 


42 B. Accattoli, A. Lancelot 


1. The soundness of applicative similarity X" g for Plotkin’s pre-order X@", that 
is, that <4 CaP a aes holds as well, but it is not useful here); 
2. The e 4 “Be "=ë, given by Prop. 8.3; 


3. The openability af w-evaluation, that is, SE=XZo. 


Soundness of <% is a non-trivial result in the literature, established by Howe’s 
method [27, 39], which we here use as a black box. About openability, we proved 
it in Sect. 7 but that proof uses light genericity (and maximality), which is our 
goal here, so we have to re-prove openability without using light genericity. 


w is Openable without Light Genericity. We know that Sé5Cx%, thus we only 
have to show the other inclusion, which follows from w- ane: of <6. 


Proposition 15. The inequational theory X% is w-adequate, hence w is openable. 


Proof. The proof is in [8, p.32], here we only give the idea for w-adequacy. Let 
t {g u with t w-normalizing. Then, we use the operational characterization of 
scrutability (Thm. 5) to build a closing context C such that C(t) is w-normalizing 
and such that if u were w-diverging, so would be C(u). 


(Co-)genericity via Applicative Similarity. The three points above are established, 
and so we obtain new proofs of light genericity and co-genericity. 


Proposition 16 (CbV light (co-)genericity). [čo is w-ground and w-roof. 


11 Conclusions 


We develop in this paper a theory of light genericity, which is as powerful as heavy 
genericity for proving the collapsibility of meaningless terms, it is connected to 
contextual pre-orders, and dualizable as co-genericity. 

We also provide light proofs of the mazimality of open contextual pre-orders, 
which in turn provide an elegant proof of the fact that the closed and open 
contextual pre-orders coincide. Lastly, we show that CbV applicative similarity 
can be used for alternative simple proofs of light (co-)genericity. These simple 
proofs via applicative similarity are easily adaptable to the (weak) CbN case. 

Summing up, our work paints Barendregt’s genericity with a fresh, modern 
hue, connecting it to program equivalences and maximality, following an abstract 
approach and providing neat proofs. 


Acknowledgements. To Giulio Manzonetto and Gabriele Vanoni for feedback on 
a first draft, and to Victor Arrial for helpful discussions about genericity. 
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Abstract. We present a systematic approach to logical predicates based on univer- 
sal coalgebra and higher-order abstract GSOS, thus making a first step towards a 
unifying theory of logical relations. We start with the observation that logical pred- 
icates are special cases of coalgebraic invariants on mixed-variance functors. We 
then introduce the notion of a locally maximal logical refinement of a given predi- 
cate, with a view to enabling inductive reasoning, and identify sufficient conditions 
on the overall setup in which locally maximal logical refinements canonically exist. 
Finally, we develop induction-up-to techniques that simplify inductive proofs via 
logical predicates on systems encoded as (certain classes of) higher-order GSOS 
laws by identifying and abstracting away from their boiler-plate part. 


1 Introduction 


Logical relations are arguably the most widely used method for reasoning on higher-order 
languages. Historically, early examples of logical relations [44,46,47,51,55,56,58,59] 
were based on denotational semantics, before the method evolved into logical relations 
based on operational semantics [7,17,34,50,52,53]. Today, operationally-based logical 
relations are ubiquitous and serve purposes ranging from strong normalization proofs [6] 
and safety properties [21,22] to reasoning about contextual equivalence [5,60] and 
formally verified compilation [8,33,45,48], in a variety of settings such as effectful [37], 
probabilistic [4,10,63], and differential programming [15,40,41]. 

Unfortunately, despite the extensive literature, there is a distinct lack of a general 
formal theory of (operational) logical relations. As a reasoning method, logical relations 
are applied in a largely empirical manner, more so because their core principles are well 
understood on an intuitive level. For example, there is typically no formal notion of a 
logical predicate or relation; instead, if a predicate or relation is defined by induction on 
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types and maps “related inputs to related outputs”, it then meets the informal criteria to 
be called “logical”. However, the empirical character of logical relations is problematic 
for two main reasons: (i) complex machinery associated to logical relations needs to be 
re-established anew on a per-case basis, and (ii) it is hard to abstract and simplify said 
machinery, even though certain parts of proofs via logical relations seem generic. 

Recently, Higher-order Mathematical Operational Semantics [24], or higher-order 
abstract GSOS, has emerged as a unifying approach to the operational semantics of 
higher-order languages. In this framework, languages are represented as higher-order 
GSOS laws, a form of distributive law of a syntax functor X over a mixed-variance be- 
haviour bifunctor B. In further work [62], an abstract form of Howe’s method [16,31,32] 
for higher-order abstract GSOS has been identified, in which an otherwise complex and 
application-specific operational technique is, at the same time, lifted to an appropriate 
level of generality and reduced to a simple lax bialgebra condition. 

In the present paper, we work towards establishing a theory of logical relations based 
on coalgebra and higher-order abstract GSOS, starting from logical predicates, under- 
stood as unary logical relations. In more detail, we present the following contributions: 


(i) A systematization of the method of logical predicates (Section 3), achieved by 
(a) identifying logical predicates as certain coalgebraic invariants (Definition 12), 
parametric in a predicate lifting of the underlying mixed-variance bifunctor, 


(b) introducing the locally maximal logical refinement UP of a predicate P (Defini- 
tion 14), which enables inductive proofs of LIP, and 


(c) identifying an abstract setting in which locally maximal logical refinements of 
predicates exist and are unique (Section 3.3). 
(ii) The development of efficient reasoning techniques on logical predicates, which we 
call induction up-to (Theorems 34 and 36), for higher-order GSOS laws satisfying a 
relative flatness condition (Definition 30). 


We illustrate (ii) by providing proofs of strong normalization for typed combinatory 
logic and type safety for the simply typed A-calculus which, thanks to the use of our 
up-to techniques, are significantly shorter and simpler than standard arguments found 
in the literature. Finally, we exploit the genericity of our framework to study strong 
normalization on the level of higher-order GSOS laws (Theorem 42). We note that the 
implementation of typed languages as higher-order GSOS laws as such is also novel. 
Full proofs and additional details can be found in the arXiv version [25] of our paper. 


Related work While denotational logical relations have been studied in categorical 
generality, e.g. [27,28,29,38], general abstract foundations of operational logical rela- 
tions are far less developed. In recent work [13,14], Dagnino and Gavazzo introduce 
a categorical notion of operational logical relations that is largely orthogonal to ours, 
in particular regarding the parametrization of the framework: In op. cit., the authors 
work with a fixed fine-grain call-by-value language [42], parametrized by a signature 
of generic effects, while the notion of logical relation is kept variable and in fact is 
parametrized over a fibration; contrastingly, we keep to the traditional notion of logical 
relation but parametrize over the syntax and semantics of the language. Moreover, we 
work with a small-step operational semantics, whereas the semantics used in op. cit. is 
an axiomatically defined categorical evaluation semantics. 
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2 Preliminaries 


2.1 Category Theory 


Familiarity with basic category theory [43] (e.g. functors, natural transformations, 
(co)limits, monads) is assumed. We review some concepts and notation. 


Notation. Given objects X1, X2 in a category C, we write X; x X, for the product and 
(fi, fo): X — X, x X2 for the pairing of fj: X — Xj, i = 1,2. We let X; + X denote the 
coproduct, inl: X; —> Xı +X2 and inr: X2 — Xı +X; the injections, [g1, g2]: X;+X2 > X 
the copairing of g;: X; > X, i = 1,2, and V = [idy, idx]: X + X — X the codiagonal. 
The slice category C/X, where X € C, has as objects all pairs (Y, py) of an object Y € C 
and a morphism py: Y — X, and a morphism from (Y, py) to (Z, pz) is a morphism 
f: Y — Z of C such that py = pz - f. The coslice category X/C is defined dually. 


Extensive categories. A category C is (finitely) extensive [12] if it has finite coproducts 
and for every finite family of objects X; (i € J) the functor E: Į[;er C/Xi > C/ Lie Xi 
sending (p;: Y; > Xi)iez to [lier pi: Ll; Y; > l; Xi is an equivalence of categories. 
A countably extensive category satisfies the analogous property for countable coprod- 
ucts. In extensive categories, coproduct injections inl, inr are monic, and coproducts of 
monomorphisms are monic; generally, coproducts behave like disjoint unions of sets. 


Example 1. Examples of countably extensive categories include the category Set of 
sets and functions; the category Set? of presheaves on a small category C and natural 
transformations; and the categories of posets and monotone maps, nominal sets and 
equivariant maps, and metric spaces and non-expansive maps, respectively. 


Algebras. Given an endofunctor F on a category C, an F-algebra is a pair (A, a) consisting 
of an object A and a morphism a: FA —> A (the structure). A morphism from (A, a) to 
an F-algebra (B, b) is a morphism h: A — B of C such that h- a = b- Fh. Algebras 
for F and their morphisms form a category Alg(F), and an initial F-algebra is simply an 
initial object in that category. We denote the initial F-algebra by uF if it exists, and its 
structure by i: F(uF) — uF. Initial algebras admit the structural induction principle: 
the algebra uF has no proper subalgebras, that is, every F-algebra monomorphism 
m: (A, a) — (uF, 0) is an isomorphism. 

More generally, a free F-algebra on an object X of C is an F-algebra (F*X, ty) 
together with a morphism ny: X — F*X of C such that for every algebra (A, a) and 
every h: X — AinC, there exists a unique F-algebra morphism hi: (F*X, ty) > (A, a) 
such that h = hË - ny. If free algebras exist on every object, their formation induces a 
monad F*: C > C, the free monad generated by F. Every F-algebra (A, a) yields an 
Eilenberg-Moore algebra a: F*A — A as the free extension of id4: A > A. 

The most familiar example of functor algebras are algebras for a signature. Given a 
set S of sorts, an S -sorted algebraic signature consists of a set X of operation symbols 
together with a map ar: X — S* x S associating to every f € Z its arity. We write 
f: sy X-++X sy, > s if ar(f) = (s1,..., 57,5), and f: s if n = O (in which case f is 
called a constant). Every signature X induces a polynomial functor on the category Set’ 
of S-sorted sets, denoted by the same letter X, given by (XX), = Mi: s-s, >s ei Xs; 
for X € Set® and s € S. An algebra for the functor X is precisely an algebra for 
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the signature X, viz. an S -sorted set A = (A,)ses in Set’ equipped with an operation 
eo [Tit As, > As for every f: 81 +++ Sn — s in X. Morphisms of X-algebras are S -sorted 
maps respecting the algebraic structure. Given an S -sorted set X of variables, the free 
algebra 2*X is the X-algebra of -terms with variables from X; more precisely, (%* X), 
is inductively defined by X, © (X* X), and f(t,...,f,) E (2*X)s for all f: s1 +++ Sn > 5 
and t; € (&*X),,. In particular, the free algebra on the empty set is the initial algebra uX; 
it is formed by all closed terms of the signature. For every X-algebra (A, a), the induced 
Eilenberg-Moore algebra a: 2*A — A is given by the map that evaluates terms over A 
in the algebra A. 


Coalgebras. Dual to the notion of algebra, a coalgebra for an endofunctor F on C is a 
pair (C, c) of an object C (the state space) and a morphism c: C — FC (the structure). 


2.2 Higher-Order Abstract GSOS 


We summarize the framework of higher-order abstract GSOS [24], which extends the 
original, first-order counterpart introduced by Turi and Plotkin [61]. In higher-order 
abstract GSOS, the operational semantics of a higher-order language is presented in the 
form of a higher-order GSOS law, a categorical structure parametric in 

(1) acategory C with finite products and coproducts; 

(2) an object V € C of variables; 

(3) an endofunctor X: C —> C, where X = V + 2” for some endofunctor 2”, such that 
free X-algebras exist on every object (hence X generates a free monad *); 

(4) a mixed-variance bifunctor B: C® x C > C. 

The functors X and B represent the syntax and the behaviour of a higher-order language. 
The motivation behind B having two arguments is that transitions have labels, which 
behave contravariantly, and poststates, which behave covariantly; in term models the 
objects of labels and states will coincide. The presence of an object V of variables is 
a technical requirement for the modelling of languages with variable binding [19,20], 
such as the A-calculus. An object of V/C, the coslice category of V-pointed objects, is 
thought of as a set X of programs with an embedding py: V — X of the variables. In 
point-free calculi, e.g. xT CL as introduced below, we put V = 0 (the initial object). 


Definition 2. A (V-pointed) higher-order GSOS law of X over B is a family of mor- 
phisms (1) that is dinatural in (X, px) € V/C and natural in Y € C: 


O(X,py).y: ZX X B(X, Y)) > B(X, X*(X + Y)) (1) 


Notation 3. (i) In (1), we have implicitly applied the forgetful functor V/C — C at 
(X, px). In addition, we write Ox y for O(x,p,),y if the point py is clear from the context. 


(ii) For (A, a) € Alg(), we view A as V-pointed by pa = (V 25 V + X'A = XA 4 A). 


Informally, oxy assigns to an operation of the language with formal arguments from X 
having specified next-step behaviours in B(X, Y) (i.e. with labels in X and formal post- 
states in Y) a next-step behaviour in B(X, X*(X + Y)), i.e. with the same labels, and 
with poststates being program terms mentioning variables from both X and Y. Every 
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es Samm > Shinn) Shinn P) 5 Snn PÀ 
Sat (p, q) 4 (p t) (q t) Ka 4 Ki Q) Kii (p) 4+ P 
p> p pp 
Peat Pq->p'q pq4> p 


Fig. 1. (Call-by-name) operational semantics of xTCL. 


higher-order GSOS law (1) induces a canonical operational model y: uX —> B(uX, uX), 
viz. a B(u%X, —)-coalgebra on the initial algebra uX, defined by primitive recursion [36, 
Prop. 2.4.7] as the unique morphism y making the following diagram commute: 


ZUZ) f uZ 
Zid, y) | Y 


4 
SWE x BUS, pE) Zs BUSE GE + T, BUE, wd) 


Here, we regard the initial algebra (uX, 1) as V-pointed as explained in Notation 3. 


Simply Typed SKI Calculus. We illustrate the ideas behind higher-order abstract GSOS 
with an extended version of the simply typed SKI calculus [30], a typed combinatory 
logic which we call xTCL. It is expressively equivalent to the simply typed A-calculus 
but does not use variables; hence it avoids the complexities associated to variable binding 
and substitution in the 4-calculus, which we treat in Section 4.2. The set Ty of types is 
inductively defined as 

Ty := unit | Ty > Ty. (2) 


The constructor — is right-associative, i.e. T} —> T2 — T3 is parsed as T; — (T2 — T3). 
The terms of xTCL are formed over the Ty-sorted signature X whose operation symbols 
are listed below, with T, T1, T2, T3 ranging over all types in Ty: 


e: unit app,, n: (T1 > T2) XT1 > T2 


Srn: (T1 > T2 > T3) > (T1 > T2) > T1 >T Kram: Ti > Tn > 71 


Shinn: C > T2 > T3) > (Ti > T2) > Ti > T3) Kan: Ti > (T — T) 


Simni (T1 > T2 > T3) X (T1 > T2) > (T1 > T73) LiT —>T 


We let Tr = uX denote the Ty-sorted set of closed X-terms. Informally, app represents 
function application (we write st for app(s,t)), and the constants [,, Kri m3; Sr.1,73 
represent the A-terms At. t, At. As. t and At. As. Au. (s u) (t u), respectively. The operational 
semantics of xTCL involves three kinds of transitions: <>, = and —. It is presented 
in Figure 1; here, p, p’,g, t range over terms in Tr of appropriate type. Intuitively, s ~ 
identifies s as an explicitly irreducible term; s = r states that s acts as a function 
mapping ¢ to r; and s — t indicates that s reduces to t. Our use of labelled transitions 
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in higher-order operational semantics is inspired by work on bisimilarity in the 4- 
calculus [1,26]. The use of K’, S’ and $” does not impact the behaviour of programs, 
except for possibly adding more unlabelled transitions. For example, the standard rule 
Stse — (te)(se) for the S-combinator is rendered as the chain of transitions Stse > 
S'(t)se > S(t, s)e — (te)(se). The transition system for xTCL is deterministic: 
for every term s, either s 5, or there exists a unique f such that s — t, or for each 
appropriately typed ¢ there exists a unique s, such that s = s,. Therefore, given 


BAX, Y) = Y, + D(X, Y), (3) 
Deis] wd Dee Yer, (4) 

the operational rules in Figure 1 determine a Set™-morphism y: Tr > B(Tr, Tr): 

Yunit(S) = inr(s) if s ~ where s: unit, 
yr(s) = inl(t) if s — t where s,t: T, (5) 
Vr (s) =inr(At.s) if s 45 s, for s: Ti > T2 and t: T1. 

Proposition 4. The object assignments (3) and (4) extend to mixed-variance bifunctors 
B, D: (Set™)? x Set™ > Set. (6) 


The semantics of xTCL in Figure 1 corresponds to a (0-pointed) higher-order GSOS 
law of the syntax functor X over the behaviour bifunctor B, i.e. to a family of maps (1) 
dinatural in X € Set’ and natural in Y € Set”. The maps oxy are cotuples defined by 
distinguishing cases on the constructors e,S,S’,S”, K,K’,I,app of xTCL, and each 
component of ọ is determined by the rules that apply to the corresponding constructor. 
We provide a few illustrative cases; see [25, p. 25], for a complete definition. 


oxy: 3(X x B(X, Y)) > B(X,5*(X + Y)) (7) 

oxy S7 mn (P f) (4,8) = At. (PD) (qd) (8) 
oxy (P. f) (4,8) = FA) TEED A (9) 

oxy ((p, f)(4,8)) = f4 if f: Ynn (10) 


The operational model y: Tr — B(Tr, Tr) of o coincides with the coalgebra (5). 


Remark 5. The rules for application in Figure 1 implement the call-by-name evaluation 
strategy. Other strategies can be captured by varying the rules and consequently the 
corresponding higher-order GSOS law. For the call-by-value strategy, one replaces 
the last rule with (11) and (12) below and modifies clause (9) in the definition of o 
accordingly. One can also model the traditional view of combinatory logic as a rewrite 
system [30] where any redex can be reduced, no matter how deeply. This amounts 
to specifying a maximally nondeterministic strategy by adding the rule (13) below to 
Figure 1. Notably, this makes the operational model nondeterministic, and hence the 
corresponding higher-order GSOS law relies on the behaviour functor PB instead of the 
original B given by (3), where P is the powerset functor. 

t $ , q , t , , 

PP 474 an P>P 4-4 (12) q~74q 


— 7 (13) 
p4 > Pq p4 >p p4 > Pq 


ri 
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3 Coalgebraic Logical Predicates 


3.1 Predicate Lifting 


Predicates and relations on coalgebras are often most conveniently modelled through 
predicate and relation liftings [39] of the underlying type functors. In the following 
we introduce a framework of predicate liftings for mixed-variance bifunctors, adapting 
existing notions of relation lifting [62], which enables reasoning about “higher-order” 
coalgebras, such as operational models of higher-order GSOS laws. The following global 
assumptions ensure that predicates and relations behave in an expected manner: 


Assumptions 6. From now on, we fix C to be a complete, well-powered and extensive 
category in which, additionally, strong epimorphisms are stable under pullbacks. 


The categories of Example 1 satisfy these assumptions. Since C is complete and well- 
powered, every morphism f admits a (strong epi, mono)-factorization f = m-e [11, Prop. 
4.4.3]; we call m the image of f. The category Pred (C) of predicates over C has as objects 
all monics (predicates) P — X from C, and as morphisms (p: P — X) > (q: Q — Y) 
all pairs (f: X — Y, fle: P — Q) such that q- f|p = f- p (so f|p is uniquely determined 
by f). (Co)products in Pred(C) are lifted from C. The fiber Predy(C) is the subcategory 
of all monics P — X for fixed X and morphisms (idy, —). It is is preordered by p < q 
if p factors through q; identifying p,q if p < q and q < p, we regard Predx(C) as a poset. 
Since C is complete and well-powered, Predx(C) is a complete lattice; we write /\ for 
meets (i.e. pullbacks) and V for joins. We will also write f*[P] for the inverse image of 
a predicate p: P — X under f: Y — X, ie. the pullback of p along f. The direct image 
Fx(Q] of g: Q — Y under f: Y — X is the image of the composite f- p: Q —> X. This 
yields an adjunction between Predy(C) and Pred y(C), i.e. Q < f*[P] iff f4[Q] < P. 

A predicate lifting of an endofunctor X: C —> C is an endofunctor X: Pred(C) > 
Pred(C) making the left-hand diagram below commute; similarly, a predicate lifting of 
a mixed-variance bifunctor B: C® x C > C is a bifunctor B: Pred(C)°? x Pred(C) > 
Pred (C) making the right-hand diagram below commute. Here |-| is the forgetful functor 
sending p: P >— X to X. 


Pred (C) —2—> Pred(C) Pred (C)? x Pred (C) —2-> Pred(C) 
l- l- |-1Px]- l- (14) 
[| | | 
C= 2 4G c?xc — -cC 


We denote by X both the action on predicates and on the corresponding objects in C, i.e. 
X(p: P => X): XP => XX. 

Every endofunctor X on C admits a canonical predicate lifting X mapping p: P — X 
to the image Xp: XP — XX of Xp: XP > XX [36]. Note that Xp = Xp if X preserves 
monos. In the remainder we will only consider canonical liftings of endofunctors. 


Proposition 7. If X preserves strong epis, then 7 =- 7. 


The canonical predicate liftings for mixed-variance bifunctors are slightly more 
complex. Similarly to the case of relation liftings of such functors developed in recent 
work [62], their construction involves suitable pullbacks. 
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Proposition 8. Every bifunctor B: C° x C > C admits a canonical predicate lifting 
B: Pred (C)°P x Pred(C) — Pred (C) sending (p: P — X, q: Q — Y) to the predicate 
mpg: B(P, Q) — B(X,Y), the image of the morphism rpg given by the pullback below: 


Tro — > B(P,Q) 


eP Q 


eo m [aeo (15) 
m B(p,id) 
ro B(X, Y) ——> B(P,Y) 
If B preserves monos in the covariant argument, then B(id, q) is monic and, since monos 
are pullback-stable, B(P, Q) is simply the predicate rpg: Tpg — B(X, Y). 


Example 9. The bifunctors B and D of (3) and (4) have canonical predicate liftings 
B,(P,Q) = Q, + D;(P,Q) where (16) 


Dunit(P,Q) =1, Dryor,(P,Q) =f: Xn > Yn [VX E Pry FO) € On} E YQ. AT) 


Predicate liftings allow us to generalize coalgebraic invariants [36, $6.2], viz. predicates 
on the state space of a coalgebra that are closed under the coalgebra structure in a suitable 
sense, from endofunctors to mixed-variance bifunctors: 


Notation 10. For the remainder of the paper, we fix a mixed-variance bifunctor B: C°P x 
C > C and a predicate lifting B: Pred (C) x Pred(C) — Pred(C). 


Definition 11 (Coalgebraic invariant). Let c: Y > B(X, Y) be a B(X, —)-coalgebra. 
Given predicates S > X, P >> Y, we say that P is an S -relative (B-)invariant (for c) if 
P < c*[B(S, P)], equivalently, c,[P] < B(S, P). (Mention of B is usually omitted.) 


Coalgebraic invariants will feature centrally in our notion of logical predicate. 


3.2 Logical Predicates via Lifted Bifunctors 


As areasoning device, the method of logical predicates (which are unary logical relations) 
typically applies to the following scenario: One has an operational semantics on an 
inductively defined set uX of X-terms and a target predicate P — uX to be proved, in 
the sense that one wants to show P = pu. Logical predicates come into play when a 
direct proof of P = uX by structural induction is not possible. The classical example of 
such a predicate is strong normalization [23,59]. The idea is to strengthen P, obtaining a 
predicate featuring a certain “logical” structure that does allow for a proof by induction. 
We now develop this scenario in our abstract bifunctorial setting. 


Definition 12 (Coalgebraic logical predicate). Suppose that c: X —> B(X, X) is a B(X, —) 
coalgebra with state space X. A predicate P — X is logical (for c) if it is a P-relative 
B-invariant (as per Def. 11), i.e. P < c*[B(P, P)], equivalently, c,[P] < BCP, P). 


In applications, c is the operational model y: yX — B(u¥, uX) of a higher-order lan- 
guage, or some coalgebra derived from it. The self-referential nature of logical predicates 
(as relative to themselves) is meant to cater for the property that “inputs in P are mapped 
to outputs in P”. The following example from xTCL illustrates this: 
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Example 13. For B given by (3) and its canonical lifting B, a predicate P ~ Tr is 
logical for the operational model y: Tr — B(Tr, Tr) from (5) if yx [P] < BCP, P), that is, 


(Yunit)*[Punit] < Punit + 1, 
V1, Ta (Vr; -7,) #1 Erisa] < Prst + {f: Tr, > Tre, | Ys E€ P,,. f(s) E Pazi 


using the description of B from Example 9. More explicitly, this means that 


— if s € P, and s —> t then t € P}; 
- if s € Pan and s => u, then t € P}, implies u € P,,. 


As we can see in the second clause, function terms that satisfy P produce outputs that 
satisfy P on all inputs that satisfy P. This is the key property of any logical predicate. 


Defining a suitable logical predicate (or relation) is the centerpiece of various sophis- 
ticated arguments in higher-order settings. One standard application of logical predicates 
are proofs of strong normalization, which we now illustrate in the case of xTCL. For the 
operational model y: Tr > B(Tr, Tr) and terms r, s, t of compatible type, put 


— Ss > tifs = So > Sı > > S, = t for some n > 0 and terms 5o,..., Sn; 
t . . 
- s> rifs => s’ and s’ +, r for some (unique) s’; 


— (s) if s => s’ and y(s’) € D(Tr, Tr) for some (unique) s’. 


Coalgebraically, this associates a weak operational model y: Tr > PB(Tr, Tr) to y, where 
WA = {t |t >r }U ft) |t> t, yl) € Dr, Th}. 

Strong normalization of xTCL asserts that || = Tr: every term eventually reduces 
to a function or explicitly terminates. We now devise three different logical predicates 
on Tr, each of which provides a proof of that property. The idea is to refine the target 
predicate |) — Tr to a logical predicate, for which showing that it is totally true will be 
facilitated by its invariance w.r.t. a corresponding coalgebra structure. Our first example 
will be based on the following notion of refinement: 


Definition 14 (Locally maximal logical refinement). Let c: X — B(X, X) be a coalgebra 
and let P — X be a predicate. A predicate OP — X is a locally maximal logical 
refinement of P if (i) UP < P, (ii) UP is logical (i.e. a OP-relative B-invariant), and Gii) 
for every predicate Q < P that is a OP-relative B-invariant, one has Q < OP. 


Example 15. We define the predicate O} — Tr, i.e. a family of subsets OU), © Tr, 
(t € Ty), by induction on the structure of the type t: we put QW unit = Uunite and we take 
Urr to be the greatest subset of Tr,,_.;, satisfying 


Ue alt) if tor 
ln) OLY tm Sr 


brin) => besoa] 


From this definition it is not difficult to verify by induction on the type that 


I) is a locally maximal logical refinement of |. (18) 
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Our goal is to show that Ol) is a subalgebra of uX, equivalently S(O) < [Ol], which 
then implies OŲ = Tr and hence | = Tr by structural induction. Taking the partition 
& = E +A where Z is the part of the signature for application and 4 is the part of the 
signature for the remaining term constructors, we separately prove =(O) < e*[CY] and 
A( W < * (OU). It suffices to come up with O}-relative invariants A,C C || such that 
(Oy) < [A] and A(OŅ) < c*[C]. Then by (18) we can conclude A, C c O}, so 


wl 


(TW < *[A] < “OU and AOD <*[C] < (OU). 


Let us record for further reference what it means for Q — Tr to be a L]|-relative invariant 
contained in ||. Given t € Q,, the following must hold: 


(1) Ut, (2) if t > r then Q,(t’), (3) if t: Ti > T2 and t + t and Ol, s then Q,,(t’). 


We first put A = OY V (c- inl), [£01], and prove (1)-(3) for Q = A. So let t € A+; we 
distinguish cases on the disjunction defining A. If LI, t, then (1)-(3) follow easily by 
definition. Otherwise, we have t = p q such that LIU,,_,,, p and O}, g. 


(1) By definition, O,,_.,,p and OI, g entail that p 4 p’ for a (unique) term p’, and 


that O,,p’, hence lr, p’. Since pq = p’, it follows that J, pq. 


(2) We distinguish cases over the semantic rules for application: 

(a) pq > p'q where p > p’. Then OY, —r, p’, hence A;,(p’ q). 

(b) pq > p' where p & p’. Since O,,_.,,p and Ol, q, we have OU, p’, so Az,(p’). 
(3) t does not have labelled transitions, hence this case is void. 


Next, we show that C = OU V (e: inr) [A( U) is a O-relative invariant. We consider 
two representative cases; the remaining cases are handled similarly. 


— Case I,: T — T. Since / terminates immediately, property (1) holds by definition of J 
and (2) holds vacuously. For (3), if J > ’ and OU,s, then’ = s € OJ, E Cy. 

— Case S7 m(t 8): Ti + 73 with OU, nrt and Ole rs. Again, (1) holds be- 
cause S’’(t, s) terminates immediately, and (2) holds vacuously. For (3), suppose 
that OU, r; we have to show (tr)(sr) € C;,. This follows from the inequality 


S(O) < [O4] shown above, because Unn (tr), OU, (sr) by definition of OY. 


Note that the definition of LI) uses both induction (over the structure of types) and 
coinduction (by taking at every type the greatest predicate satisfying some property). 


Example 16. We give an alternative logical predicate defined purely inductively. It 
resembles Plotkin’s original concept of logical relation [55]. We define |) — Tr by 


Wnt O = Vunt O, 


s, ; (19) 
Hearn O => brent AA Vs: tte PAUL (s) == ©). 

It is evidently logical for the restriction ¥: Tr > PDC(Tr, Tr) of the weak operational 
model to labelled transitions, given by XA) := {y(t} if t > r and y(t’) € D(Tr, Tr), and 
¥(t) := Ø otherwise. A proof of strong normalization using 4} is given in [25, App. A]. 
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Example 17. A more popular (cf. [57,58]) and subtly different variant of |} for proving 
strong normalization goes back to Tait [59]. We define SN — Tr by 


SNunit (t) => Uoni (t) 


(20) 
SNz, or) (1) <> We orm (A) A (Ys: Ti. SNo (s) => SN, (t s)) 


Unlike 1), it is not immediate that SN is logical for ¥ (see [25, App. A]). For a proof of 
strong normalization based on SN in the context of the A-calculus, see [57, Sec. 2]. 


While all three logical predicates Ol), W, SN are eligible for proving strong normal- 
ization, with proofs of similar length and complexity, the predicate LI} arguably has the 
most generic flavour, as it depends neither on a system-specific notion of weak transition 
(which appears in the definition of |!) nor on the syntax of the language (such as the 
application operator appearing in the definition of SN). Thus, our abstract categorical 
approach to logical predicates will be based on a generalization of LI. 


3.3 Constructing Logical Predicates 


Our abstract coalgebraic notion of logical predicate (Definition 12) is parametric in the 
bifunctor B and its lifting B and decoupled from any specific syntax. Next, we develop a 
systematic construction that promotes a predicate P to a logical predicate, specifically to 
a locally maximal refinement of P, generalizing UJ in Example 15. The construction 
proceeds in two stages. First, we fix the contravariant argument of the lifted bifunctor B 
and construct a greatest coalgebraic invariant w.r.t. the resulting endofunctor [36, §6.3]: 


Definition 18 (Relative henceforth). Let c: Y — B(X, Y) and let S — X be a predicate. 
The (S-)relative henceforth modality sends P — Y to O8®(S, P) — Y, which is the 
supremum in Predy(C) of all S -relative invariants contained in P: 


Berg P) = \/{o < P| Qis an S-relative B-invariant for c}. (21) 


We will omit the superscripts B, c when they are irrelevant or clear from the context. 


Proposition 19. The predicate O(S, P) is the greatest S -relative B-invariant contained 
in P. Moreover, the map (S, P) + LS, P) is antitone in S and monotone in P. 


Proof. The first statement follows from the Knaster-Tarski theorem since L(S, P) is the 
greatest fixed point L(S,P) = vG. P A c*[B(S,G)] in the complete lattice Predy(C). 
The second statement holds due to the mixed variance of the predicate lifting B. o 


The relative henceforth modality only yields relative invariants. To obtain a logical 
predicate, i.e. an invariant relative to itself, we move to the second stage of our construc- 
tion, which is based on ultrametric semantics, see e.g. [9]. Let us briefly recall some 
terminology. A metric space (X, d: X x X —> R) is 1-bounded if d(x,y) < 1 for all 
x,y, an ultrametric space if d(x,y) < max{d(x, z), d(z, y)} for all x, y, z, and complete if 
every Cauchy sequence converges. A map f: (X,d) — (X’,d’) between metric spaces 
is nonexpansive if d’(f(x), f(y)) < d(x,y) for all x,y, and contractive if there exists 
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c € [0, 1), called a contraction factor, such that d'( f(x), f)) < c- d(x, y) for all x,y. A 
family of maps (f;: X — X’)icz is uniformly contractive if there exists c € [0, 1) such that 
each f; is contractive with factor c. By Banach’s fixed point theorem, every contractive 
endomap f: X — X on a non-empty complete metric space has a unique fixed point. 


Definition 20. The category C is predicate-contractive if 

(1) every Predx(C) carries the structure of a complete 1-bounded ultrametric space; 
(2) for every f: X — Y in C, the map f*[-]: Predy(C) — Predx(C) is non-expansive; 
(3) for any two co-well-ordered families (P! —> X),<; and (Q! > X)je; of predicates, 


d( Nier P’, Nier Q') < supje; (PF, Q'). 
Here (Pİ — X)je; is co-well-ordered if each nonempty subfamily has a greatest element. 


Example 21. The category C = Set” is predicate-contractive when equipped with the 
ultrametric on Predx(C) given by d(P, Q) = 2™ for P,Q — X, where n = inf{Hr | 
P, + Q,} and fr is the size of t, defined by funit = 1 and f(t, — T2) = Hr, + #r2. By 
convention, inf Ø = œ and 27° = 0. To see predicate-contractivity, first note that a 
function F : Predy(C) — Pred x(C) is non-expansive iff 


inf{fr | (FP), + (F Q)} = inf{fr | P: + Q} forall P,Q >Y, 


and contractive (necessarily with factor at most 1/2) iff that inequality holds strictly. 
This immediately implies clause (2) of Definition 20: inverse images in Set” are 

computed pointwise, and f,*[P,] + fr*[Q-] implies P; + Q, for f: X — Y and 

P,Q > Y. Similarly, since intersections are computed pointwise, clause (3) amounts to 


inf {Ar | (oer Pi + ‘am Qi} > inf{#r | i € I: P} # Q'), 
which is clearly true, for if (jer PL # (icy Q} then Pİ + Q! for some i € 1. 


Definition 22 (Contractive lifting). Suppose that C is predicate-contractive. The predi- 
cate lifting B: Pred(C oP x Pred(C) > Pred(C) is contractive if for every S — X the 
map B(S, —) is non-expansive, and the family (B(—, P))p, „x is uniformly contractive. 


Proposition 23. Let B be contractive and c: X> B(X, X). For every S — X, the map 
B(S, —) is non-expansive, and the family (O®°(—, P))p,_,x is uniformly contractive. 


Contractive liftings allow us to augment every predicate P to a logical predicate: 


Definition 24 (Henceforth). Let B be contractive and c: X —> B(X, X). For each predicate 
P — X we define 02P — X (where we usually omit the superscripts) to be the unique 
fixed point of the contractive endomap 


SH O8(§,P) on Predy(C). (22) 


Theorem 25. The predicate UP is the unique locally maximal logical refinement of P. 


Proof. By (22), LIP is the unique predicate satisfying LIP = LI(UIP, P). By (21), this 
equality says that LIP is the greatest L]P-relative invariant contained in P, as needed. O 
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Example 26. Let B be the behaviour bifunctor on Set” given by (3). Its canonical 
lifting B (Example 9) is contractive because Bar (P, Q) depends only on P;,, Qr, 
Q,,-»r,; in other words, B decreases the size of types in the contravariant argument and 
does not increase it in the covariant argument. Given a coalgebra c: X — B(X, X) and 
P — X, the fixed point 11?P is given by the Ty-indexed family of greatest fixed points 


Punit = VG. Punit A Cunit™[G + 1], 
Pryor, = VG. Phn N Cr, [G + {f: Tr, > Tr, | Vs € OP, . f(s) € OP}. 


This follows from Theorem 25 since the above predicate is clearly a locally maximal 
refinement of P. By instantiating c to the operational model y: uX — B(u¥, uX) of 
xTCL and taking P = ||, we recover the definition of DO! in Example 15. 


Example 27. The logical predicate ||! — Tr of Example 16 is precisely OY for PD 
w.r.t. its canonical lifting and the coalgebra Y: Tr > PD(Tr, Tr). More generally, for a 
coalgebra c: X — PD(X, X), the predicate LIP is inductively defined as follows: 


Punit = Punit, 


X, 
Pan = Prin Moe TP OX, |Yf E€ F.s c OP, = f(s) OP. hh 


Remark 28. The construction of logical predicates for typed languages is enabled by the 
“type-decreasing” nature of the associated behaviour bifunctors. In untyped settings, e.g. 
for B(X, Y) = Y + Y* on Set modelling untyped combinatory logic [24], the canonical 
lifting B is not contractive, hence the fixed point OP in general fails to exist. 


Remark 29. The forgetful functor |-|: Pred (C) — C forms a complete lattice fibra- 
tion [35], equivalently a topological functor [2], and all notions and results of the present 
subsection extend to that level of generality. We leave the details for future work, as our 
reasoning techniques found in the upcoming sections are tailored to logical predicates. 


We are now in a position to state precisely what a proof via logical predicates is 
in our framework. Given the operational model y: uX — B(uX, uX) of a higher-order 
language, a predicate lifting B, and a target predicate P — uX, a proof of P via logical 
predicates is a proof that LIP forms a subalgebra of the initial algebra uX, which means 


S(OP) < ı*[OP], equivalently 1,[2(GP)] < OP. (23) 


Then LJP = uX by structural induction, whence P = u% because LIP < P. 

Up to this point, we have streamlined and formalized coalgebraic logical predicates 
as a certain abstract construction on predicates (Definition 24) and presented proofs 
by coalgebraic logical predicates as standard structural induction on said construction. 
This presentation is indeed that of an abstract method: the various parts of the problem 
setting, namely the syntax, the behaviour and its predicate lifting, as well as the opera- 
tional semantics, are all parameters. In the next section, we exploit the parametric and 
generic nature of this method in two main ways. First, we present up-to techniques that 
simplify the proof goal (23) as much as possible. Second, we look to instantiate our 
method to problems on classes of higher-order languages, as opposed to reasoning about 
operational models of individual languages such as xTCL or the A-calculus. 
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4 Logical Predicates and Higher-Order Abstract GSOS 


As indicated before, substantial parts of the proof of strong normalization in Example 15 
look generic. Specifically, the properties (2) and (3) established for Q = A and Q = C 
are independent of the choice of predicate P = || in OP. Moreover, these steps are either 
obvious or follow immediately from the operational rules of xTCL: the predicates A 
and C being invariants can be attributed to the fact that except for terms of the form 
S’’(—, —), all terms evolve either to a variable or to some flat term such as p’ q. The core 
of the proof, which is tailored to the choice of P, lies in proving property (1). 

As it turns out, for a class of higher-order GSOS laws that we call relatively flat 
higher-order GSOS laws, conditions (2) and (3) are automatic. This insight leads us to a 
powerful up-to technique that simplifies proofs via logical predicates. 


4.1 Relatively Flat Higher-Order GSOS Laws 


The following definition abstracts the restricted nature of the rules of xTCL to the level 
of higher-order GSOS laws. For simplicity, we confine ourselves to 0-pointed laws, 
however all the results of this subsection easily extend to the V-pointed case. 


Definition 30. Let X: C — C be a syntax functor of the form Z = [| jez Xj, where (J, <) 
is a non-empty well-founded strict partial order, and put 2 = [] j<, 4j. A relatively flat 
(0-pointed) higher-order GSOS law of X over B is a J-indexed family of morphisms 


ohy: X(X x B(X, Y)) > B(X, 2% (X + Y) + XXX +Y)) (24) 

dinatural in X € C and natural in Y € C. 
We put ejx = [inf p1- inj Zyn” D1: 2$ X + 2;2* X > U*X where inj: Z4j > X 
and inj: X; — X are the coproduct injections, with free extensions int: a — &* and 


in’: a — &*. Every relatively flat higher-order GSOS law (24) determines an ordinary 
higher-order GSOS law of X over B with components 


L jer 2x, ra 
oxy = | | 50x BOG ry = | [p BEEK + 1) +X + Y) 


[B(X,e;x+y)] je. 
LL, B(X, 5*(X + Y)). 

When we interpret a higher-order GSOS law as a set of operational rules, relative flatness 
means that the operations of the language can be ranked in a way that every term 
f(—,--- ,—) with f of rank j evolves into a term that uses only operations of strictly lower 
rank, except possibly its head symbol which may have the same rank j. 


Example 31. xTCL is relatively flat: put J = {0 < 1}, let Xo contain application, and let 
Žž contain all other operation symbols. This is immediate from the rules in Figure 1. 


Definition 32. Suppose that each 2; preserves strong epimorphisms. A predicate lifting 
of (24) is a relatively flat 0-pointed higher-order GSOS law (0’) jez OF X= LI ji over B 
where for every P — X and Q — Y the Pred(C)-morphism 3}, g is carried by oly 
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Remark 33. (1) The condition on Z; ensures x = a (Proposition 7), so that the first 
component of Lo has type 2(X x B(X, Y)) > B(X, 2% (X +Y)+ Zz (X + Y)). 


(2) Liftings are unique if they exist: since is a Pred(C)-morphism, it is determined 


zl 
OPO 
by its first component Ox y: Moreover, the (di)naturality of g’ follows from that of o’. 
(3) For the canonical lifting B,a lifting @ )Jjez OF (o/) jez always exists [25, App. D]. 
The following theorem establishes a sound up-to technique for logical predicates. 


It states that for operational models of relatively flat laws, the proof goal (23) can be 
established by checking a substantially relaxed property. 


Theorem 34 (Induction up to O). Lety: uX —> B(us, u2) be the operational model 
of a relatively flat 0-pointed higher-order GSOS law that admits a predicate lifting. Then 
for every predicate P — pS and every locally maximal logical refinement 0”P, 


(OPP) <P] implies (OPP) < * [OPP] (hence P = u2). 


We stress that the theorem applies to any refinement ”BP and does not assume a 
specific construction (e.g. that of Section 3.3). The up-to technique facilitates proofs via 
logical predicates quite dramatically. For illustration, we revisit strong normalization: 


Example 35. We give an alternative proof of strong normalization of xTCL (cf. Exam- 
ple 15) via induction up to LJ. Hence it suffices to prove 


ZN < ~i, 


which states that a term is terminating if all of its subterms are in the logical predicate 
U. This is clear for terms that are not applications, since they immediately terminate 
(cf. Figure 1). Now consider an application p q such that L}, —r, Ņ(p) and U,, J(q). Since 


U is a logical predicate contained in Į, this entails that p = p’ for a (unique) term p’, 


and that O}, p’, hence |, p’. Since pq > p’, it follows that 4+, p q. 

Analogous reasoning shows that xTCL is strongly normalizing under the call- 
by-value and the maximally nondeterministic evaluation strategy (Remark 5). In the 
latter case, strong normalization means that every term must eventually terminate, 
independently of the order of evaluation. 


The reader should compare the above compact argument to the laborious original 
proof given in Example 15. Our up-to technique can be seen to precisely isolate the 
non-trivial core of the proof, while providing its generic parts for free. For a further 
application — type safety of the simply typed 4-calculus — see Section 4.2. 


4.2 A-Laws 


We proceed to explain how our theory of logical predicates applies to languages with 
variables and binders. We highlight the core ideas and technical challenges in the case of 
the A-calculus, and briefly sketch their categorical generalization; a full exposition can 
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be found in [25, App. E]. Let STLC be the simply typed call-by-name 2-calculus with 

the set Ty of types given by (2) and operational rules 
t— ft (25) 

ts t's (Ax: T.t)s > tls/x] 

where s,t, t range over A-terms of appropriate type, and [—/—] denotes capture-avoiding 
substitution. To model STLC in higher-order abstract GSOS, we follow ideas by 
Fiore [18]. Our base category C is the presheaf category (Set"/Y)” where F denotes 
the category of finite cardinals and functions, and the set Ty is regarded as a discrete 
category. An object l: n > Ty of F/Ty is a typed context, associating to each variable 
x € na type; we put |I] := n . A presheaf X € (Set"/Y)" associates to each context T 
and each type t a set X(T") whose elements we think of as terms of type t in context T. 
The syntax of STLC is captured by the functor X: (Set"/)¥ — (Set*/)¥ where 


SunitX = Vunt + Kı + LI Xr—unit X Xr, 
Tely (26) 
Znen X = Vaen +X + | | oy Xeon ons X Xr 


Here K, € Set™’’ is the constant presheaf on 1, V is given by V(I) = {x € |I| | T(x) = 
T}, and 6 by (XT) = X „(I + tT) with (—) + T, denoting context extension by a 
variable of type T,. Informally, Kı, V and 6 represent the constant e: unit, variables, and 
A-abstraction, respectively. The initial algebra for X is the presheaf A of A-terms, i.e. 
A(T) is the set of A-terms (modulo a-equivalence) of type t in context I [18]. 

The behaviour bifunctor B’: ((Set"/¥))°? x (Set) — (Set"/") for STLC 
has two separate components: it is given by a product 


B(X, Y) = 4X, YY x B(X, Y) (27) 


where (x, Y) (T) = ls (lee Xr, Yr), 
B(X, Y) = (K; + Y + D(X, Y)), 
Dun(XY)=Ki and Dy on (XY) = Yn", 


and yon is an exponential object in Set”. The bifunctor «-, —)) models an abstract 
substitution structure; for instance, every A-term t € A(T) induces a natural transforma- 
tion [] xar Arw > Ar in KA, A),() mapping a tuple (f),..., tırı) to the term obtained 
by simultaneous substitution of the terms t; for the variables of t. The summands of the 
bifunctor B abstract from the possible operational behaviour of A-terms: a term may 
explicitly terminate, reduce, get stuck (e.g. if it is a variable), or act as a function. 

The operational rules (25) of STLC can be encoded into a V-pointed higher-order 
GSOS law of X over B*, similar to the untyped A-calculus treated in earlier work [24]. 
The operational model (¢, y): A — «A, AY x B(A, A) is the coalgebra whose components 
ġ, y describe the substitution structure and the operational behaviour of A-terms. 

At this point, a key technical issue can be observed: the canonical predicate lifting 
«—,—) is not contractive. Indeed, given P — X, Q — Y, the predicate KP, Q)), consists 
of all natural transformations [ [xer] Xrœ > Y- that restrict to Į [yer] Prix > Qr, and 


Logical Predicates in Higher-Order Mathematical Operational Semantics 63 


this expression depends on Prox) where the type T(x) may be of higher complexity than T. 
In particular, we conclude that B% is not contractive. In contrast, the canonical lifting 
B is contractive and hence O*P exists for every P — A (Definition 24). However, 
it is well-known that logical predicates do not do the trick for inductive proofs in the 
A-calculus, see e.g. [57, p. 9] and [49, p. 150]; rather, one needs to prove the open 
extension of the logical predicate, which is the larger predicate 


VP = $*[(CP, OEP]. 


The standard proof method is then to show LE YBP = A directly by structural induction. 
However, this can be greatly simplified by the following up-to-principle, which works 
with the original predicate 1”?P and forms a counterpart of Theorem 34 for the A- 
calculus: 


Theorem 36 (Induction up to L]). Let P — A be a predicate. Then 


S(O") <*[P] implies (OPP) < * [OPP] (hence P = A). 


Remark 37. Concretely, the theorem states that to prove P = A, it suffices to prove that 
(1) variables satisfy P, (2) the unit expression e: unit satisfies P, (3) for all application 
terms p q such that L+, —-,P(T)(p) and U,, P()(q), we have P}, (T)(p q), and (4) for all 
A-abstractions Ax: T1. t such that t € L+, P(T, x), we have Prr, (T (Ax: T1. £). 


Example 38. We prove type safety for STLC via induction up to L]. Thus consider the 
predicate Safe — A that is constantly true on open terms and given by 


t € Safe,(@) — > (Ve.t > e = (eis not an application) V 4r.e > r), 


on closed terms. We only need to check the conditions (1)-(4) of Remark 37. Con- 
ditions (1), (2), (4) are clear since variables are open terms and the term e: unit and 
A-abstractions do not reduce. The only interesting clause is (3) for the empty context. 
Thus let p q be a closed application term with p € LISafe,,_.,,(@) and q € LSafe,, (2); 
we need to show pq E Safe,,(@). We proceed by case distinction on p q => e€: 


(a) p => p’ ande = p' q. Then p’ € USafe,,_.,,(@) by invariance, in particular p’ is 
safe, so p’ is either not an application or reduces. In the former case, p’ is necessarily a 
A-abstraction since it is closed and not of type unit. Thus, in both cases, e reduces. 


(b) p = aAx.p’ and p’[q/x] = e. Since DSafe is a logical predicate, from p € 
Safe,,-.7,(@) and q € O1,,Safe(@) we can deduce p’[q/x] € U;,Safe(@), whence 
e € LJ,,Safe(@). In particular, e is safe, which implies that e is either not an application 
or reduces. 


As an exercise, we invite the reader to prove strong normalization of STLC via 
induction up to L]. The reader should compare these short and simple proofs with more 
traditional ones, see e.g. [57]. 

All the above results and observations for STLC can be generalized and developed 
at the level of general higher-order abstract GSOS laws. To this end, we first abstract the 
behaviour functor (27) to a functor of the form B(X, Y) = (X — Y) x B’(X, Y), where 
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(—) — (—) is the internal hom-functor of a suitable closed monoidal structure on the 
base category C. In the case of STLC, this structure is given by Fiore’s substitution 
tensor [18]. Second, we observe that the higher-order GSOS law of STLC is an instance 
of a special kind of law that we coin relatively flat A-laws. The induction-up-to-L 
technique of Theorem 36 then can be shown to hold for operational models of relatively 
flat A-laws. More details can be found in [25, App. E]. 


5 Strong Normalization for Deterministic Systems, Abstractly 


The high level of generality in which the theory of logical predicates is developed above 
enables reasoning uniformly about whole families of languages and behaviours. In this 
section, we narrow our focus to deterministic systems and establish a general strong 
normalization criterion, which can be checked in concrete instances by mere inspection 
of the operational rules corresponding to higher-order abstract GSOS laws. 
Throughout this section, we fix a 0-pointed higher-order GSOS law o of a signature 
endofunctor X: C — C over a behaviour bifunctor B: C°? x C —> C, where 


B(X, Y) =Y+D(X,Y) forsome D:C®xC—>C. 


For instance, the type functor (3) for xTCL is of that form. The operational model 
y: UX > uX + D(wS, uX) has an n-step extension y: uX > uX + Du, uX), for each 
n € N, where y is the left coproduct injection and y+” is the composite 


(n) id A 
uS b u5 + DUS, pS) > uS + DUS, wd) + DUS, wd) 2% ps + DUS, ud). 


We regard D(uX', uX) as a predicate on B(u¥, uX) via the right coproduct injection, 
which is monic by extensivity of C, and define the following predicates on yu: 


Un= OOIE, and V= V, t. 


In xTCL, these are the predicates of strong normalization or strong normalization after 
at most n steps, resp. Accordingly, we define strong normalization abstractly as follows: 


Definition 39. The higher-order GSOS law o is strongly normalizing if |) = ux. 


We next identify two natural conditions on the law ọ that together ensure strong 
normalization. The first roughly asserts that for a term ¢ = f(%),..., Xn) whose variables x; 
are non-progressing, the term ¢ is either non-progressing or it progresses to a variable. 


Definition 40. The higher-order GSOS law ọ is simple if its components oxy restrict to 
morphisms ie y as in the diagram below, where 77 is the unit of the free monad 4”: 


0 
Z(X x D(X, Y)) ---* -> X +Y + D(X,S*(X + Y)) 
stein | [mora 


S(X x (¥ + D(X, Y)) es S*(X +Y) + D(X, 5*(X + Y)) 
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The second condition asserts that the rules represented by the higher-order GSOS 
law remain sound when strong transitions are replaced by weak ones. In the following, 
the graph of a morphism f: A —> B is the image gra(f) — A x B of (id, f): A > A xB. 


Definition 41. The higher-order GSOS law @ respects weak transitions if for every 
n € N, the graph of the composite below is contained in V; gra(y® - 0). 


X(id.y") Oud pE J Bidi-X*V) 
E(u) —— E(w x BUS, pX) > BUS, Z* (UE + uD) ———> BUS, uw) 


Note that the higher-order GSOS law for xTCL is simple and respects weak transitions. 
Thus, strong normalization of xTCL is an instance of the following strong normalization 
theorem for higher-order abstract GSOS. Concerning its conditions, an w-directed union 
is a colimit of an w-chain Xp — Xı — X2 — --- of monics. We say that monos in C are 
w-smooth if any such colimit has monic injections, and moreover for every compatible 
cocone of monos, the mediating morphism is monic. This property holds in every locally 
finitely presentable category [3, Prop. 1.62], e.g. sets, posets, or presheaves. 


Theorem 42 (Strong normalization). Suppose that the following conditions hold: 
(1) On top of Assumptions 6, C is countably extensive, and monos are w-smooth. 

(2) & preserves w-directed unions, and D preserves monos in the second component. 
(3) o is relatively flat, simple, and respects weak transitions. 

(4) has a locally maximal logical refinement w.r.t. y and the canonical lifting B. 
Then the higher-order GSOS law o is strongly normalizing. 


Recall that condition (4) holds if B is contractive (Theorem 25). The proof uses the 
induction-up-to-L] technique and a careful categorical abstraction of Example 35. 


6 Conclusion and Future Work 


Our work presents the initial steps towards a unifying, efficient theory of logical relations 
for higher-order languages based on higher-order abstract GSOS. This theory can be 
broadened in various directions. One obvious direction would be to extend our theory 
from predicates to relations. Binary logical relations are often utilized as sound (and 
sometimes complete) relations w.r.t. contextual equivalence. Additional generalizations 
are suggested by the large amount of existing work on logical relations. One important 
direction is to generalize the type system to cover, e.g., recursive types, parametric 
polymorphism, or dependent types. Supporting recursive types will presumably require 
an adaptation of the method of step-indexing [17] to our abstract setting. Another 
point of interest is to apply and extend our framework to effectful (e.g. probabilistic) 
settings [40,54], including e.g. an effectful version of the criterion of Section 5. 

As indicated in Remark 29, large parts of our development in Section 3 can be 
reformulated in fibrational terms. This has the potential merit of enabling abstract 
reasoning about higher-order programs in metric and differential settings as done in 
previous work on fine-grain call-by-value [13,14]. In future work, we aim to develop such 
a generalization, and to explore the connection between our weak transition semantics 
and the general evaluation semantics used in op. cit. 
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Abstract. The class of basic feasible functionals (BFF) is the analog of FP 
(polynomial time functions) for type-2 functionals, that is, functionals that 
can take (first-order) functions as arguments. BFF can be defined through 
Oracle Turing machines with running time bounded by second-order 
polynomials. On the other hand, higher-order term rewriting provides an 
elegant formalism for expressing higher-order computation. We address 
the problem of characterizing BFF by higher-order term rewriting. Various 
kinds of interpretations for first-order term rewriting have been introduced 
in the literature for proving termination and characterizing (first-order) 
complexity classes. In this paper, we consider a recently introduced 
notion of cost-size interpretations for higher-order term rewriting and 
see definitions as ways of computing functionals. We then prove that the 
class of functionals represented by higher-order terms admitting a certain 
kind of cost-size interpretation is exactly BFF. 


Keywords: Basic Feasible Functions - Higher-Order Term Rewriting - 
Tuple Interpretations - Computational Complexity 


1 Introduction 


Computational complexity classes, and in particular those relating to polynomial 
time and space [20,11] capture the concept of a feasible problem, and as such 
have been scrutinized with great care by the scientific community in the last 
fifty years. The fact that even apparently simple problems, such as nontrivial 
separation between those classes, remain open today has highlighted the need for 
a comprehensive study aimed at investigating the deep nature of computational 
complexity. The so-called implicit computational complexity [8,30,33,13,4] fits 
into this picture, and is concerned with characterizations of complexity classes 
based on tools from mathematical logic and the theory of programming languages. 
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One of the areas involved in this investigation is certainly that of term rewrit- 
ing [34], which has proved useful as a tool for the characterization of complexity 
classes. In particular, the class FP (i.e., of polytime first-order functions) has been 
characterized through variations of techniques originally introduced for termi- 
nation, e.g., the interpretation method [31,29], path orders [15], or dependency 
pairs [16]. Some examples of such characterizations can be found in [7,9,10,1,3]. 


After the introduction of FP, it became clear that the study of computational 
complexity also applies to higher-order functionals, which are functions that 
take not only data but also other functions as inputs. The pioneering work of 
Constable [12], Mehlhorn [32], and Kapron and Cook [22] laid the foundations of 
the so-called higher-order complexity, which remains a prolific research area to 
this day. Some motivations for this line of work can be found e.g. in computable 
analysis [24], NP search problems [6], and programming language theory [14]. 

There have been several proposals for a class of type-two functionals that 
correctly generalizes FP. However, the most widely accepted one is the class BFF 
of basic feasible functionals. This class can be characterized based on function 
algebras, similar to Cobham-style, but it can also be described using Oracle 
Turing machines. The class BFF was then the object of study by the research 
community, which over the years has introduced a variety of characterizations, 
e.g., in terms of programming languages with restricted recursion schemes [21,14], 
typed imperative languages [17,18], and restricted forms of iteration in OTMs [23]. 
An investigation of higher-order complexity classes employing the higher-order 
interpretation method (in the context of a pure higher-order functional language) 
was also proposed in [19]. However, this paper does not provide a characterization 
of the standard BFF class. Instead, it characterizes a newly proposed class SFF2 
(Safe Feasible Functionals) which is defined as the restriction of BFF to argument 
functions in FP (see Sect. 4.2 and the conclusion in [19]). 


The studies cited above present structurally complex programming languages 
and logical systems, precisely due to the presence of higher-order functions. It is 
not currently known whether it is possible to give a characterization of BFF in 
terms of mainstream concepts of rewriting theory, although the latter has long 
been known to provide tools for the modeling and analysis of functional programs 
with higher-order functions [25]. 

This paper goes precisely in that direction by showing that the interpretation 
method in the form studied by Kop and Vale [27,26] provides the right tools to 
characterize BFF. More precisely, we consider a class of higher-order rewriting 
systems admitting cost-size tuple interpretations (with some mild upper-bound 
conditions on their cost and size components) and show that this class contains 
exactly the functionals in BFF. Such a characterization could not have been 
obtained employing classical integer interpretations as e.g. in [9] because BFF 
crucially relies on some conditions both on size and on time. This is the main 
contribution of our paper, formally stated in Theorem 2. 

We believe that a benefit of this characterization is that it opens the way 
to effectively handling programs or executable specifications implementing BFF 
functions, in full generality. For instance, we expect that such a characterization 
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could be integrated into rewriting-based tools for complexity analysis of term 
rewriting systems such as e.g. [2]. 

Our result is proved in two parts. We first prove that if any term rewriting 
system in this class computes a higher-order functional, then this functional has 
to be in BFF (soundness). Conversely, we prove that all functionals in BFF are 
computed by this class of rewriting systems (completeness). We argue that the 
key ingredient towards achieving this characterization is the ability to split the 
dual notions of cost and size given by the usage of tuple interpretations. 


2 Preliminaries 


2.1 Higher-Order Rewriting 


We roughly follow the definition of simply-typed term rewriting system [28] 
(STRS): terms are applicative, and we limit our interest to second-order STRSs 
where all rules have base type. Reductions follow an innermost evaluation strategy. 

Let B be a nonempty set whose elements are called base types and range 
over t,k,v. The set T(B) of simple types over B is defined by the grammar 
T(B) := B | T(B) = T(B). Types from T(B) are ranged over by 0,7, p. The > 
type constructor is right-associative, so we write o > T > p for (o > (T > p)). 
Hence, every type ø can be written as 0; > +- > On => L. We may write such 
types as ¢ =v. The order of a type is: ord(t) = 0 for  € B and ord(o => T) = 
max(1 + ord(c), ord(r)). A signature F is a triple (B, X, typeOf) where B is a 
set of base types, X is a nonempty set of symbols, and typeOf : X —» T(B). For 
each type g, we assume given a set X, of countably many variables and assume 
that Xo NX, = Í if o 47. We let X denote U,X, and assume that VAX = Í. 

The set T(F,X) — of terms built from F and X — collects those expressions 
s for which a judgment s : ø can be deduced using the following rules: 


r EX fEX type0f(f) =o S:0=>T tio 
(ax) -zo (Fax) fio (app) (st):7 


As usual, application of terms is left-associative, so we write stu for ((st) u). Let 
vars(s) be the set of variables occurring in s. A term s is ground if vars(s) = f. 
The head symbol of a term f sı --- Sn is f. We say t is a subterm of s (written s © t) 
if either (a) s = t, or (b) s = s' s” and s’ © tor s” © t. It is a proper subterm of 
s if s At. Fora term s, pos(s) is the set of positions in s: pos(x) = pos(f) = {8} 
and pos(st) = {ft} U{1-u]|u © pos(s)}U {2 -u | u © pos(t)}. For p € pos(s), 
the subterm s|, at position p is given by: s|y = s and (s1 s2)ļli-p = silp- 

In this paper, we require that for all f € X, ord(typeOf(f)) < 2, so w.lo.g., 
f: (© > 61) >- > (lk > kk) > n > + > n => u. Hence, in a fully applied 
term f s1... Sk t1... tı we say the s; are the arguments of type-1 and the tj are 
the arguments of type-0 for f. A substitution y is a type-preserving map from 
variables to terms such that {x € X | y(x) # x} is finite. We extend y to terms 
as usual: vy = y(x), fy =f, and (st)y = (sy) (ty). A context C is a term with a 
single occurrence of a variable O; the term C|s] is obtained by replacing O by s. 
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A rewrite rule L — r is a pair of terms of the same type such that £ = f 0, --- ly, 
and vars(¢) D vars(r). It is left-linear if no variable occurs more than once in 
£. A simply-typed term rewriting system (F,R) is a set of rewrite rules R over 
T(F, X). In this paper, we require that all rules have base type. An STRS is 
innermost orthogonal if all rules are left-linear, and for any two distinct rules 
lı > rı, l2 — r2, there are no substitutions y, ô such that 41y = £26. A reducible 
expression (redex) is a term of the form ¢y for a rule £ —> r and substitution y. 
The innermost rewrite relation induced by R is defined as follows: 

e ly >r ry, if L —> r € R and fy has no proper subterm that is a redex; 

e st >r ut, if s >r u and st >r su, ift >r u. 
We write >$ for the transitive closure of >r. An STRS R is innermost terminat- 
ing if no infinite rewrite sequence s >r t >r ... exists. It is innermost confluent 
if s >$ t and s >$ u implies that some v exists with t >$ v and u >$ v. 
It is well-known that innermost orthogonality implies innermost confluence. In 
this paper, we will typically drop the “innermost” adjective and simply refer to 
terminating/orthogonal/confluent STRSs. 


Example 1. Let B = {nat} and 0: nat,s : nat = nat, add, mult : nat > nat => nat, 
and funcProd : (nat > nat) => nat > nat > nat. We then let R be given by: 


addOy > y add (sx) y > s (add z y) 
mult 0y > 0 mult (sa) y > add y (mult z y) 
funcProd FOy >y funcProd F (sa) y > funcProd F z (mult y (F x)) 


Hereafter, we write "n? for the term s(s(... 0...)) with n ss. 


2.2 Cost-Size Interpretations 


For sets A and B, we write A —> B for the set of functions from A to B. A quasi- 
ordered set (A, I) consists of a nonempty set A and a reflexive and transitive 
relation J on A. For quasi-ordered sets (A1, 31) and (Ag, 32), we write A; => Ag 


for the set of functions f E€ Ay —> Ap such that f(x) Jo f(y) whenever x Jj y, 
i.e., Ay ==> Ag is the space of functions that preserve quasi-ordering. 

For every ų € B, let a quasi-ordered set (S,,,) be given. We extend this to 
T(B) by defining Sss- = (So => Sr, Ios) where f Jorg iff f(x) 2, f(a) 
for any x € S,. Given a function 7* mapping f € X to some JF € Stypeoe#) and a 
valuation aœ mapping x € X, to S,, we can map each term s: ø to an element of 
So naturally as follows: (a) [æ], = a(x); (b) II = IF; (c) Isti = Is]? (HÈ). 

For every type o with ord(c) < 2, we define Co as follows: (a) C, = N for 
k € B; (b) Ci» = S, = > C; for v € B; and (c) Coa, = Co So C, if 
ord(c) = 1. We want to interpret terms s : ø where both ø and all variables 
occurring in s are of type order either 0 or 1, as is the case for the left- and 
right-hand side of rules. Thus, we let 7° be a function mapping f € X to some 
TF E Ceypeoe(f) and assume given, for each type ø, valuations a: Xo — Sc and 
¢:X, —> Co. We then define: 


[eai sal’, = Co) Leal. ---s sel) 
[f s1 skti talec = TE (lslg, c> [sJ], oeda [selec [skli ltali, S ZA) 


74 P. Baillot et al. 


We let cost(s)a¢ = Silla. | s © t and t is a non-variable term of base type}. 
This is all well-defined under our assumptions that all variables have a type of order 
Oor 1, and f : (4 > k1) > > (%> kk) > n <- > vı > 1. We also define 
cost’(s)a,¢ = J {itla | s È tand t ¢ X is of base - not in normal form}. 

A cost-size interpretation F for a second order signature F = (B, X, typeOf) 
is a choice of a quasi-ordered set S,, for each « € B, along with cost- and size- 
interpretations 7° and J5 defined as above. Let (F,R) be an STRS over F. We 
say (F,R) is compatible with a cost-size interpretation if for any valuations a 
and Ç, we have (a) [e] c > cost(r)a,¢ and (b) [4]? 2 [rl], for all rules £ > r in 
R. In this case we say such cost-size interpretation orients all rules in R. 


Theorem 1 (Innermost Compatibility). Suppose R is an STRS compatible 
with a cost-size interpretation F, then for any valuations a and Ç we have 
cost’(s)q,¢ > cost'(t)a c and [s], 3 [t], whenever s >r t. 


a= 


From compatibility, we have that if so >R ++: >R Sn, then n < cost’ (so). 
Hence, cost’(s) bounds the derivation height of s. This follows from [26, Corollary 
34], although we significantly simplified the presentation: the limitation to second- 
order fully applied rules and the lack of abstraction terms allow us to avoid 
many of the complexities in [26]. We also adapted it to innermost rather than 
call-by-value evaluation. A correctness proof of this version is supplied in [5]. 
Since a and ¢ are universally quantified, we typically omit them, and just write 
x instead of a(x) and F° instead of ¢(F). 


Example 2. We let Shat = (N, >) and assign Jf = 0 and JS = Ar.x + 1, as 
well as J§ = 0 and JE = Ax.0. This gives us [n]? = n for all n € N, and 
[n] = cost(n) = 0. Now, we let JZ =Ary.c+y and J§,,, = Axy.x * y; then 
indeed [¢]° > fr]? for the first four rules of Example 1 (e.g., [mult (sx) y]? = 
(c+1)*y > yt (a*y) = [add y (mult x y)]°). Moreover, let us choose 754 = 
Ary.c+ land Jo, = Axy.z x y +g +1. Then also [¢]° > cost(r) for all rules; 
for example, [mult (sz) y] = (x +1) *y+2*2+3>(y+1)+(rxyt2*at 
1) = [add y (mult x y)]* + [mult z y]° = cost(add y (mult x y)). Regarding funcProd, 
we can orient both rules by choosing J$ ncprog = AF'ry-y * max(F(x), 1)” and 
TgncProd = AF Gay.2 * x x y * max(F(x),1)"*' +a x G(x) +2*gx +1. This works 
due to the monotonicity assumption, which provides, e.g., G(x +1) > G(x). (This 
function is not polynomial, but that is allowed in the general case.) 


2.3 Basic Feasible Functionals 


We assume familiarity with Turing machines. In this paper, we consider determin- 
istic multi-tape Turing machines. Those are, conceptually, machines consisting 
of a finite set of states, one or more (but a fixed number of) right-infinite tapes 
divided into cells. Each tape is equipped with a tape head that scans the symbols 
on the tape’s cells and may write on it. The head can move to the left or right. 
Let W = {0,1}*. A k-ary Oracle Turing Machine (OTM) is a deterministic multi- 
tape Turing machine with at least 2k +1 tapes: one main tape for (input/output), 
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k designated query tapes, and k designated answer tapes. It also has k distinct 
query states qi and k answer states ai. 

A computation with a k-ary OTM M requires k fixed oracle functions 
fi,.--> fe : W — W. We write My to denote a run of M with these func- 
tions. A run of Mp on w starts with w written in the main tape. It ends when 
the machine halts, and yields the word that is written in the main tape as output. 
As usual, we only consider machines that halt on all inputs. The computation 
proceeds as usual for non-query states. To query the value of f; on w, the machine 
writes w on the corresponding query tape and enters the query state qi. Then, 
in one step, the machine transitions to the answer state a; as follows: (a) the 
query value w written in the query tape for f; is read; (b) the contents of the 
answer tape for f; are changed to f;(w); (c) the query value w is erased from the 
query tape; and (d) the head of the answer tape is moved to its first symbol. The 
running time of M pow is the number of steps used in the computation. 

A type-1 function is a mapping in W —> W. A type-2 functional of rank 
(k,l) is a mapping in (W — W)* — W! — W. 


Definition 1. We say an OTM M computes a type-2 functional © of rank (k,l) 
iff for all type-1 functions f,,..., fk and 21,...,%1 E W, whenever Mf... fp i8 
started with x1,...,x, written on its main fae (separated by blanks), it halts 
with W(fi,...,fk,21,---,@1) written on its main tape. 


Definition 2. Let {F;,..., Fk} be a set of type-1 variables and {x1,..., zi} a 
set of type-0 variables. The set Pol2[Fi,..., Fy; 21,.--, xı] of second-order 
polynomials over N with indeterminates F3,..., Fk, £1,...,£ı is generated by: 


P.Q:=n|2|P+Q|P*Q| F(Q) 
where n EN, x € {x1,..., a}, and F € {Fi,..., Fk}. 


Notice that a polynomial expression can be viewed as a type-2 functional in the 
natural way, e.g., P(F, x) = 3 x F(x) + zx is a second-order polynomial functional. 
Given w € W, we write |w] for its length and define the length |f| of f : W — W 


as |f| = An. mo |f(y)|. This allows us to define BFF as the class of functionals 
computable by OT Ms with running time bounded by a second-order polynomial. 


Definition 3. A type-2 functional W is in BFF iff there exist an OTM M and 
a second-order polynomial P such that M computes W and for all f and £: the 
running time of Mf... fẹ On L1,...,% is at most P(|fil,-.-,| fel, |vil,---, |e). 


3 Statement of the Main Result 


The main result of this paper roughly states that BFF consists exactly of those 
type-2 functionals computed by an STRS compatible with a polynomially bounded 
cost-size tuple interpretation. To formally state this result, we must first define 
what it means for an STRS to compute a type-2 functional and define precisely 
the class of cost-size interpretations we are interested in. 
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Indeed, let us start by encoding words in W as terms. We let bit, word € B 
and introduce symbols o,i : bit and || : word, :: : bit = word = word. Then for 
instance 001 is encoded as the term ::0 (::0 (::i[])). We use the cleaner list-like 
notation [o; 0; i] in practice. Let w denote the term encoding of a word w. Next, 
we encode type-1 functions as a possibly infinite set of one-step rewrite rules. 


Definition 4. Consider a type-1 function f : W —> W and let Sy : word = word 
be a fresh function symbol. A set of rules Ry defines f by way of Sẹ if for 
each w E€ W there is exactly one rule of the form Ss w > f(w) in Ry. 


Henceforth, we assume given that our STRS (F,R) at hand is such that F 
contains o, i, [], :: typed as above and a distinguished symbol F : (word = word)” > 
word! = word. Given type-1 functions f,..., fk, we write F F for F extended with 
function symbols Ss, : word = word, with 1 <i < k, and let R F= Rue, Ry. 
Now we can define the notion of type-2 computability for such STRSs. 


Definition 5. Let (F,R) be an STRS. We say that F computes the type-2 
functional Y in (F,R) iff for all type-1 functions fi,..., fk and all wi,...,wi € 
W, FS Sy Wi WRU, where u=W(fi,..., fk, Wi,---,Wi)- 

Next, we define what we mean by polynomially bounded interpretation. 


Definition 6. We say an STRS (F,R) admits a polynomially bounded inter- 
pretation iff (F,R) is compatible with a cost-size interpretation such that: 

© Sword = (N, >); 

© Is =I = Ii =0, Fs = Any, and JÈ = Ary.x+y +c for some c> 1; 

o JS is bounded by a polynomial in Pol2[F¢, FẸ, ..., Fg, F$; x1,..., £1]. 


Finally, we can formally state our main result. 


Theorem 2. A type-2 functional W is in BFF if and only if there exists a finite 
orthogonal STRS (F,R) such that the distinguished symbol F computes Y in 
(F,R) and R admits a polynomially bounded cost-size interpretation. 


We prove this result in two parts. First, we prove soundness in Section 4 which 
states that every type-2 functional computed by an STRS as above is in BFF. 
Then in Section 5 we prove completeness which states that every functional in BFF 
can be computed by such an STRS. In order to simplify proofs, we only consider 
type-2 functions of rank (1,1). We claim that the results can be easily generalized, 
but the proofs become more tedious when handling multiple arguments. 


Example 3. Let us consider the type-2 functional defined by Y :=Afa. X f(t). 
i<|a| 
Notice that Y adds all f(i) over each word i € W whose value (as a natural 
number) is smaller than the length of x. This functional was proved to lie in BFF 
in [21], where the authors utilized an encoding of ¥ as a BTLP2 program. We 
can encode ¥ as an STRS as follows. Let us consider ancillary symbols lengthOf : 
word = nat and toBin : nat = word. The former computes the length of a given 
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word and the latter converts a number from unary to binary representation. We 
also consider rules for addition on binary words, i.e., +g : word = word = word, 
which we use in infix notation below. 


compute F z 0 acc — acc 
compute F x (si) acc + compute F x i (acc +g F(toBin i)) 
start F x — compute F x (lengthOf x) [] 


Now, if we want to compute W(f,x) we simply reduce the term start Sx to 
normal form. To show that this system is in BFF via our rewriting formalism, we 
need to exhibit a cost-size tuple interpretation for it that satisfies Definition 6, 
see [5, Example 3]. 


4 Soundness 


In order to prove soundness, let us consider a fixed finite orthogonal STRS R 

admitting a polynomially bounded cost-size interpretation such that it computes 

a type-2 functional W. We proceed to show that W is in BFF roughly as follows: 

1. Since R computes W and admits a polynomially bounded interpretation, we 
show that so does the extended system R+ (Definition 5). The restriction on 
J; (Definition 6) implies that |F Sp w]° is bounded by a second-order polyno- 
mial over |f|, |w|. We show this in Lemma 1. By compatibility (Theorem 1), 
we can do at most polynomially many steps when reducing F Sy w. 

2. The cost polynomial restricts the size of any input that the function variable 
F is applied to (e.g., a cost bound of 3+ F*(m) implies that F is never called 
on a term with size interpretation > m). This is the subject of Lemma 3. 

3. Using the observations above, we then show that by graph rewriting we can 
simulate Rs and compute each R ¢-reduction step in polynomial time on 
an OTM. This guarantees that W is in BFF, Theorem 3. 


4.1 Interpreting The Extended STRS, Polynomially 


Our first goal is to provide a polynomially bounded cost-size interpretation to the 
extended system R4+,. We start with the observation that the size interpretation 
of words in W is proportional to their length. Indeed, since J$ = Arvy.x+yt+e 
(Definition 6) let u := max( J3, JF) +c and v := Jj. Consequently, for all w € W: 


|w| < [W]? < p * lwl tv (1) 


Recall that by Definition 4 the extended system R+ has possibly infinitely 
many rules of the form S;w — f(w). Such rules Sẹ represent calls for an oracle 
to compute f in a single step. Thus, we set their cost to 1. The size should be 
given by the length of the oracle output, taking the overhead of interpretation 
into account. Hence, we obtain: 


JE, = dol F, = dvs |fe) $v 
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This is weakly monotonic because |f| is. It orients the rules in Ry because 
[Ss w] = 1 > 0 =cost(f(w)), and [Ss w]? = w*|f\(Iw)) + > wx |f\(lw))+v > 
u*|f(w)| +v by definition of |f|, which is superior or equal to [f(w)]”. 

As J£ is bounded by a second-order polynomial AF¢FS%x.P, we can let 
D(F,n) := P(Aa.1, Ax. px F (x)+y, uxn+v). Then D is a second-order polynomial, 
and D(|f|,|w|) 2 IEIS, Fs,» [w]°) = cost(F Sw). By Theorem 1 we see: 


Lemma 1. There exists a second-order polynomial D so that D(|f|,|w|) bounds 
the derivation height of FS¢w for any f EW — W andwe W. 


Notice that this lemma does not imply that W is in BFF. It only guarantees that 
there is a polynomial bound to the number of rewriting steps for such systems. 
However, it does not immediately follow that this number is a reasonable bound 
for the actual computational cost of simulating a reduction on an OTM. Consider 
for example a rule f (sn) t > f n (ctt). Every step doubles the size of the term. 
A naive implementation — which copies the duplicated term in each step — would 
take exponential time. Moreover, a single step using the oracle can create a very 
large output, which is not considered part of the cost of the reduction, even 
though an OTM would be unable to use it without first fully reading it. 

Therefore, in order to prove soundness, we show how to realize a reasonable 
implementation of rewriting w.r.t. OTMs. In essence, we will show that (1) oracle 
calls are not problematic in the presence of polynomially bounded interpretations, 
and (2) we can handle duplication with an appropriate representation of rewriting. 


4.2 Bounding The Oracle Input 


We first deal with the reasonability of oracle calls. We will show that there exists 
a second-order polynomial B such that if an oracle call Sx occurs anywhere 
along the reduction F Ss w >} v, then |z| < B(|f|,|w]). From this, we know that 
the growth of the overall term size during an oracle call is at most |f|(B(| f|, |w])). 

Let P again be the polynomial bounding J£. Since P is a second-order 
polynomial, each occurrence of a sub-expression F°(E) in P is a second-order 
polynomial, and so is E. Let us enumerate these arguments as Æ, ..., En. We 
can then form the new polynomial Q defined as 


Q= 5 E; where occurrences of F°(E;) inside E; are replaced by 1 


We let B(G, y) := Q(Az.u * G(z) +v, xy tv). 


Example 4. If P = AFF x.x» F°(3 + FS(9*x)) + FS(12) * F°(3 +x * F°(2)) +5, 
then Q = 3 + F5(9 x x) +12 +3+szx1+2 = 20+ F5(9 *x)+ x. We have 
B(G, x) = 20+ u*G(9*(uxr+v))+v+(uxr+v) = 20+2xv+G (9x uxr+9xv)+uxT. 


Now B gives an upper bound to the argument values for F° that are considered: 
if a function differs from J$, only on argument values greater than B(| f], |w]), 
then we can use it in P and obtain the same result. Formally: 
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Lemma 2. Fix f,w. Let GEN —>N with G(z) = 1 if z < Bifl,|wl). Then 
P(G, IÈ, W) = P(E, Je, [wl 


This is proved by induction on the form of P, using that G is never applied on 
arguments larger than B(|f|,|w|). Lemma 2 is used in the following key result: 


Lemma 3 (Oracle Subterm Lemma). Let f: W — W be a type-1 function 
and w E W. IfFSswpR,, C[Spx} for some context C, then |x| < B(|f],|w)). 


Proof. In view of a contradiction, suppose there exist f,w, and x such that 
FSfw >R,, Cl[S px] for some context C, and |z| > B(|f],|w|). Let us now 
construct an alternative oracle: let 0 : nat,s : nat = nat, S, : word = word and 
helper : nat = nat = nat, and for N := D(|f|,|w|), let Ri, be given by: 


x — F(x) x) if |z| < B(| f|, w|) helper 0y > y 
S, x > helper "N? f(x) otherwise helper (sx) y — helper x y 


Where 'N ' is the unary number encoding of N as introduced in Section 2.1. Notice 
that by definition, the rules for S’, will produce f(x) in one step if |z| < B(|f|, |w]), 
but they will take N + 2 steps otherwise. Also observe that S f and S, behave 
the same; that is, Sx and S, x have the same normal form on any input x. We 
extend the interpretation function of the original signature with: 


c 1 ifa < B(|f,|n|) s _ 7s 
Js, = ee > Blf) — % = Fe) 


Treiper = Ary.« +1 Ihelper = Ary-y Tò =0 JS =Ar.r+1 
We easily see that this orients all rules in Ry». Then, by Lemma 2, cost(F S, w) < 
PIE IE WF) = POE, J, WI) < DIS ol) = N. Yet, as we have 
PSE —R,, CSx], we also have FSpw RUR, ,, C"[S'x], where C” is ob- 


tained from c by replacing all occurrences of Sf hy Sp. Since |x| > B(|f|,|w]) 
by assumption, the reduction F Si w PRUR, q C[S) w] FRUR py , Cf(x)] takes 


strictly more than N steps, contradicting Theorem 1. 


4.3 Graph Rewriting 


Lemma 1 guarantees that if R is compatible with a suitable interpretation, 
then at most polynomially many R+ p-steps can be performed starting in F Sy w. 
However, as observed in Section 4.1, this does not yet imply that a type-2 
functional computed by an STRS with such an interpretation is in BFF. To 
simulate a reduction on an OTM, we must find a representation whose size does 
not increase too much in any given step. The answer is graph rewriting. 


Definition 7. A term graph for a signature X is a tuple (V, label, succ, A) 
with V a finite nonempty set of vertices; A € V a designated vertex called the root; 
label : V — X U {Q} a partial function with @ fresh; and succ : V —> V* 
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wy \ 
via wil @ L add @ o `a 
M N Ly fd N 
v2 : add vg: L add L S L 8 ae 


(a) (b) (o) (a) 


Fig. 1: A term graph, its simplified version, and two graphs with sharing 


a total function such that succ(v) = viv2 when label(v) = @ and succ(v) = € 
otherwise. We view this as a directed graph, with an edge from v to v' if v' € 
succ(v), and require that this graph is acyclic (i.e., there is no path from any v 
to itself). Given term graph G, we will often directly refer to Vg, labelg, ete. 


Term graphs can be denoted visually in an intuitive way. For example, using 
X from Example 1, the graph with V = {vo,..., va}, label = {v0, v1 > @, v2 > 
add}, succ = {Vo +> U1U4, U1 +> U2U3, U3, U4, U5 + Ef and A = v ois pictured in 
Figure la. We use L to indicate unlabeled vertices and a circle for A. We will 
typically omit vertex names, as done in Figure 1b. Note that the definition allows 
multiple vertices to have the same vertex as successor; these successor vertices 
with in-degree > 1 are shared. Two examples are denoted in Figures 1c and ld. 

Each term has a natural representation as a tree. Formally, for a term s we let 
[slg = (pos(s), label, succ, 1) where label(p) = @ if s|, = s1s9 and label(p) = 
f if s|,, = f; Label (p) is not defined if s|, is a variable; and succ(p) = (1-p)(2-p) if 
S|p = $1 82 and succ(p) = £ otherwise. Essentially, [s]g maintains the positioning 
structure of s and forgets variable names. For example, Figure 1b denotes both 
[add x yļg and [add x a]g. 

Our next step is to reduce term graphs using rules. We limit interest to 
left-linear rules, which includes all rules in Ry (as R is orthogonal, and the rules 
in Ry are ground). To define reduction, we will need some helper definitions. 


Definition 8. Let G = (V, label, succ, A),v € V. The subgraph reach(G, v) of 
G rooted at v is the term graph (V', label’, succ’,v) where V’ contains those 
v' E€ V such that a path from v to v' exists, and label’, succ’ are respectively the 
limitations of label and succ to V”. 


Definition 9. A homomorphism between two term graphs G and H is a 
function 6: Ve — Vy with ¢(Ag) = Ay, and for v € Vg such that labelg(v) 
is defined, label z(¢(v)) = labelg(v) and succy(¢(v)) = (v1)... (vk) when 
succg(v) = v1... Uz. (If labelg(v) is undefined, succy((v)) may be anything.) 


Definition 10. A redex in G is a triple (p,v,¢) consisting of some rule p = 
L—r ER4p, a vertex v in Vg, and a homomorphism ¢ : [lle —> reach(G, v). 
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Definition 11. Let G be a term graph and vy, v2 vertices in G. The redirection 
of vı to v2 is the term graph Glv, > v2] = (Va, labelg, succg, AG) with 


V2, if succg(v),; = U1 j vg if ÅG =v 
succa (v); = 


succg(v);, otherwise = Ag otherwise 


That is, we replace every reference to vı by a reference to v2. With these definitions 
in hand, we can define contraction of term graphs: 


Definition 12. Let G be a term graph, and (p,v,¢) a redex in G with p E€ Ry, 
such that no other vertex v' in reach(G,v) admits a redex (so v is an innermost 
redex position). Denote a, for the position of variable x in £, and recall that az is a 
vertex in |l]. By left-linearity, ax is unique for x € vars(£). The contraction of 
(p,v, 0) in G is the term graph J produced after the following steps: H (building), 
I (redirection), and J (garbage collection). 


(building) Let H = (Vy, labely,succy, Ag) where: 
e Vy = Va W {p € pos(r) | r|p is not a variable} (8 means disjoint union); 
e for v € Va: labely(v) = labelg(v) and succy(v) = succg(v) 
e forp € Vx with r|, not a variable: 
e labely(p) =f ifr|,p =f and labely(p) = @ otherwise 
e succy(p) =€ if r|p =f; otherwise, succy(p) = (1 - p)w(2- p) 
Here, (q) =@ if rlq is not a variable; if rjg = x then (q) = lax). 
(redirection) If r is a variable x (so H = G), then let I = Gw > ¢(az)]. 
Otherwise, let I = H{v > fi], so with all references to v redirected to the root 
vertex for r. 
(garbage collection) Let J := reach(I, Ar) (so remove unreachable vertices). 


We then write G ~ J in one step, and G ~" J for the n-step reduction. 


We illustrate this with two examples. First, we aim to rewrite the graph of 
Figure 2a with a rule addOy — y at vertex v. Since the right-hand side is a 
variable, the building phase does nothing. The result of the redirection phase is 
given in Figure 2b, and the result of the garbage collection in Figure 2c. 


S v: @ S v: @`~. S @ 
/ N “vw Ny lo N 
@ @ @ S 0 
4 N wet LN wet 
add 0 s add S 


Fig. 2: Reducing a graph with the rule add 0y > y 
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Second, we consider a reduction by mult (sa) y — add y (mult z y). Figure 3a 
shows the result of the building phase, with the vertices and edges added during 
this phase in red. Redirection sets the root to the squared node (the root of the 
right-hand side), and the result after garbage collection is in Figure 3b. 


Q 


@ @ 
ae L 
add @ 
l 
ult 
@ 
/ N 
S 0 


(b) 


Fig. 3: Reducing a term graph with substantial sharing 


Note that, even when a term graph G is not a tree, we can find a corresponding 
term: we assign a variable var(v) to each unlabeled vertex v in G, and let: 


6(v1) O(v2) if label(v) = @ and succ(v) = vivo 
O(v) = ¢ f if label(v) = f 
var(v) if label(v) is undefined 


Then we may define [G]g' = (Aa). For a linear term, clearly [[s]g]g' = s 


(modulo variable renaming). We make the following observation: 


Lemma 4. Assume given a term graph G such that there is a path from Ag 
to every vertex in Vg, and let [G]g' = s. If G ~ H then [G]g' >k, Hla. 
Moreover, if s +R, t for some t, then there exists H such that G ~ H. 


Consequently, if +,, is terminating, then so is ~>; and if [s]g ~” G for some 


ground term s then s +R, , [G]g 1 in at least n steps. Notice that if G does not 


admit any redex, then [G]g' is in normal form. Moreover, since R4p = RU Rf 
is orthogonal (as R is orthogonal and the Rş rules are non-overlapping) and 
therefore confluent, this is the unique normal form of s. We conclude: 


Corollary 1. If [FS;wle ~” G, then n < D(|f|,|w|); and if G is in normal 
form, then [G]g' = V(f,w). 
4.4 Bringing Everything Together 


We are now ready to complete the soundness proof following the recipe at the start 
of the section. Towards the third bullet point, we make the following observation. 
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Lemma 5. There is a constant a such that, whenever G ~ H by a rule in R, 
then |H| < |G| +a, where |G| denotes the total number of nodes in the graph G. 


Proof. In a step using a rule £ > r, the number of nodes in the graph can be 
increased at most by |[r]g|. As there are only finitely many rules in R, we can 
let a be the number of nodes in the largest graph for a right-hand side r. 


To see that graph rewriting with Sy can be implemented in an efficient way, we 
observe that the size of any intermediary graph in the reduction [G w]e >$ lale 
is polynomially bounded by a second-order polynomial over |f|, |w|: 


Lemma 6. There is a second-order polynomial Q such that if |F S; w]e ~* H, 
then |H| < Q(|f|, wl). 


Proof. Let Q(F, x) := x + D(F, x) x (a + F(B(F,2))), where D is the polyno- 
mial from Lemma 1, a is the constant from Lemma 5, and B is the polyno- 
mial from Section 4.2. This suffices, because there are at most D(| f|, |w|) steps 
(Lemma 1, Corollary corollary 1), each of which increases the graph size by at 


most max(a, | f|(B(|f], |w]))). 


All in all, we are finally ready to prove the soundness side of the main theorem: 


Theorem 3. Let R be a finite orthogonal STRS admitting a polynomially 
bounded interpretation. If F computes a type-2 functional W, then W € BFF. 


Proof. Given (F,R), we can construct an OTM M so that for a given f € 
W —> W, the machine My executed on w € W computes the normal form of 
FS» w under +p,, using graph rewriting. We omit the exact construction, but 
observe: 

e that we can represent each graph in polynomial space in the size of the graph; 

e that we can do a rewriting step that does not call the oracle (so using a rule 
in R) following the contraction algorithm we defined in Definition 12, which 
is clearly feasible to do in polynomial time in the size of the graph; 

e and that each oracle call (implemented in rewriting by a Ry-step Sf x > y) 
is resolved by copying x to the query tape, transitioning to the query state, 
and from the answer state copying y from the answer tape to the main tape. 
By Lemma 3 this is doable in polynomial time in | f|,|w| and the graph size. 

By Lemma 6, graph sizes are bounded by a polynomial over |f|, |w|, so using the 
above reasoning, the same holds for the cost of each reduction step. In summary: 
the total cost of My running on w is bounded by a second-order polynomial 
in terms of |f| and |w|. As My simulates R41, via graph rewriting and R4ẹ 
computes YW, M also computes W. By Definition 3, W is in BFF. 


5 Completeness 


Recall from Section 3 that to prove completeness we have to show the following: 
if a given type-2 functional W is in BFF, then there exists an orthogonal STRS 
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that computes ¥ and admits a polynomially bounded interpretation. We prove 
this by providing an encoding of OTMs as STRSs that admit a polynomially 
bounded interpretation. 

The encoding is divided into three steps. In Section 5.1, we will define the 
function symbols that will allow us to encode any possible machine configuration 
as terms. In Section 5.2, we will encode transitions as reduction rules that rewrite 
configuration terms. Lastly, we will design an STRS to simulate a complete 
execution of an OTM in polynomially many steps. Achieving this polynomial 
bound is non-trivial and is done in Sections 5.3-5.4. 

Henceforth, we assume given a fixed OTM M, and a second-order polynomial 
Pm, such that M operates in time Pm. For simplicity, we assume the machine 
has only three tapes (one input/output tape, one query tape, one answer tape); 
that each non-oracle transition only operates on one tape (i.e., reading /writing 
and moving the tape head); and that we only have tape symbols {0,1,B}. 


5.1 Representing Configurations 


Following 3, we have o,i: bit, :: : bit = word = word and |] : word. To represent 
a (partial) tape, we also introduce b : bit for the blank symbol. Now for instance 
a tape with content 011B01BB--- (followed by infinitely many blanks) may be 
represented as the list [0; i;i; b; 0; i] of type word. We may also add an arbitrary 
number of blanks at the end of the representation; e.g., [0; i; i; b; o; i; b; b]. 

We can think of a tape configuration — the combination of a tape and the 
position of the tape head — as a finite word w1 ... Wp-1##WpWp41--- We (followed 
by infinitely many blanks). Here, the tape’s head is reading the symbol w,. We 
can split this tape into two components: the left word w1 ...wp—1, and the right 
word wp... wp. To represent a tape configuration, we introduce three symbols: 


L : word => left R : word => right split : left > right > tape 


Here, L,R hold the content of the left and right split of the tape, respectively. 
While we technically do not need these two constructors (we could have split : 
word = word => tape), they serve to make configurations more human-readable. 
For convenience in rewriting transitions, later on, we will encode the left side of 
the split in reverse order. Specifically, we encode w1 .. . Wp—-1#WpWp+1 - - -Wk as 


split (L[wp—1;...; w2; w1]) (R [wp; . . - ; We—13 We) 


The symbol currently being read is the first element of the list below R; in case 
of R|], this symbol is B. For a concrete example, a tape configuration 1B0#10 is 
represented by: split (L [o; b; i]) (R [i; o]). Since we have assumed an OTM with three 
tapes, a configuration of the machine at any moment is a tuple (q, t1, t2, t3), with 
q a state and ¢t1,t,t3 tape configurations. To represent machine configurations, 
we introduce, for each state q, a symbol q : tape > tape > tape = config. Thus, 
a configuration (q, t1,t2,t3) is represented by a term qT) To T3. 
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Example 5. The initial configuration for a machine My, on input w is a tuple 
(qo, #w, #B, #B). This is represented by the term 


initial(w) := qo (split (L []) (Rw)) (split (L []) (R [))) (split (L [) (R [)) 


To interpret the symbols from this section, we let (S,, 3.) := (N, >) for all ų, 
let JE = Azı . . . &m-0 whenever f takes m arguments, and for the sizes: 


JI$=0 K=0 J =A IÈ = Azy.xr+y+1 Jå = Aryz.z +y 
IF =0 IJ=0 P=AMMX Jp = AT.TY.L +Y (for all states q) 


split 


Hence, [w]? = |w|, which satisfies the requirements of Theorem 2; the size of a 
tape configuration w 1 ...Wp—17fWp.-. Wp is k, and the size of a configuration is 
the size of its first and second tapes combined. We do not include the third tape, 
as it does not directly affect either the result yielded by the final configuration 
(this is read from the first tape), nor the size of a word the oracle f is applied on. 


5.2 Executing The Machine 


A single step in an OTM can either be an oracle call (a transition from the 
query state to the answer state), or a traditional step: we assume that an OTM 


i, d 
M has a fixed set T of transitions q a l where q is the input state, | the 


output state, t € {1,2,3} the tape considered (recall that we have assumed that a 
non-oracle transition only operates on one tape), r,i € {0,1,B} respectively the 
symbol being read and the symbol being written, and d € {L, R} the direction 
for the read head of tape t to move. We will model the computation of M as 
rules that simulate the small step semantics for the machine. 


To encode a single transition, let step : (word = word) = config = config. For 


ve r/i, L Pe x 
any transition of the form q ===> l (so a transition operating on tape 1, and 
1 


moving left), we introduce a rule (where we write 0 = o, 1 = i, B = b): 


step F (q (split (L (x::y)) (R (r::z))) uv) > 1 (split (L y) (R (x::i::z))) uv 


N B/w, L : 
Moreover, for transitions q a, l (so where B is read), we add a rule: 


step F (q (split (L (a::y)) (R [])) wv) > 1 (split (L y) (R (a::i::[]))) wo 


These rules respectively handle the steps where a tape configuration is changed 
from Uy... Up—1Up#TUp+2 -- -Uk tO U1... Up—1#UpiUp+2 - - - Uk, and where a tape 
configuration is changed from u1... up# to u1... #uki. 

Transitions where d = R, or on the other two tapes, are encoded similarly. 

Next, we encode oracle calls. Recall that, to query the machine for the value 
of f at u, we write u on the second tape, move its head to the leftmost position, 
and enter the query state. Then, the content of this tape is erased and the image 
of f over u is written in the third tape. Visually, this step is represented as: 


(query, (tape,), V1 - . - Up#UB..., (tape3)) ~ (answer, (tape,), #B, #f(u)) 
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step F (query t; (split x (R y)) t3) —> answer t; (split (L []) (R [])) 
(split (L []) (R (F (clean y)))) 


clean (o::x) — o::(cleana) clean (b::x) — [] 
clean (i::x) — i::(clean x) clean [] > |] 


Here, clean : word = word turns a word that may have blanks in it into a bitstring, 
by reading until the next blank; for instance replacing [o; i; b; i] by [o;i]. 

The various step rules, as well as the clean rules, are non-overlapping because 
we consider deterministic OTMs. They are also left-linear, and are oriented using: 


lean = ALE Sean = AL.Z +1 
step = AFr.x +1 Sep = AFF’ ne) +x +2 
(Note that J.) is so simple because the size of a configuration does not include 


the size of the answer tape.) From the rules, the following result is obvious: 


Lemma 7. Let My be an OTM and C,C’ be machine configurations of My such 
that C ~> C’. Then step Sy [C] >} [C’], where [C] is the term encoding of C. 


5.3 A Bound on the Number of Steps 


To generalize from performing a single step of the machine to tracing a full 
computation on the machine level, the natural idea would be to define rules such 
as: 


execute F (qx yz) — execute F (step(q x y z)) for q # end 
execute F (end (split (L x) (Rw)) y z) > clean w 


Then, reducing execute S; initial(w) to normal form simulates a full OTM execu- 
tion of Mp on input w. Unfortunately, this rule does not admit an interpretation, 
as it may be non-terminating. A solution could be to give execute an additional 
argument "N? suggesting an execution in at most N steps; this argument would 
ensure termination, and could be used to find an interpretation. 

The challenge, however, is to compute a bound on the number of steps in the 
OTM: the obvious thought is to compute Pm (|f|, |w|), but this cannot in general 
be done in polynomial time because the STRS does not have access to |f|: since 
|f|(2) = max{a € N | |z| < i}, there are exponentially many choices for x. 

To solve this, and following [22, Proposition 2.3], we observe that it suffices to 
know a bound for f(x) for only those x on which the oracle is actually questioned. 
That is, for A C W, let |f|4 = An. max{|f (x)| | £x € AA |z| < n}. Then: 


Lemma 8. Suppose an OTM My runs in time bounded by Pys(|f|,|w|) on input 
w. If My transitions in N steps from its initial state to some configuration C, 
calling the oracle only on words in ACW, then N < Pu(| fla, |v). 
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Proof (Sketch). We construct f’ with f'(x) = 0 if x ¢ A and f'(x) = f(a) if 
x € A. Then |f'| = | fla, and My runs the same on input w as Mẹ does. 


Now, for A encoded as a term A (using symbols Ø : set, setcons : word => 
set = set), we can compute |f|4 using the rules below, where we use unary 
integers as in Example 1 (0: nat,s : nat = nat), and defined symbols len : word > 
nat, max : nat > nat => nat, limit : word > nat = word, retif : word > nat > 
word = word, tryapply : (word = word) = word = nat = nat, tryall : (word > 
word) => set = nat = nat. By design, retifx™n'y reduces to y if |x| < n and 
to [] otherwise; tryapply S; xn! reduces to the unary encoding of |F'|;,,;(n) and 
tryallax'n' yields |F|4(n). 


len [| > 0 len (a::y) > s (len y) 
max m >m max (sn)0 > sn max (sn) (sm) + s(maxnm) 
limit [] n > [] limit (a::y) 0 = [| limit (a::y) (sn) > z:: (limity n) 
retif | nz > z retif (x::y)0 z > |] retif (x::y) (sn) z > retif yn z 


tryapply Fan — len (retif an (F (limit an))) 
tryallF Øn —0  tryall F (setconsa tl) n — max (tryapply F a n) (tryall F tl n) 


An interpretation is provided in [5]. Importantly, the limit function ensures that, 
in tryall Fn we never apply F to a word w with |w| > n. Therefore we can 
let [A]° = |A|, the number of words in A, and have Toya) = AFan.F(n) and 
Tiya = AF°F'an.1 +a + F°(n)+2x*F°(n)+2*n +6. 

Now, for a given second-order polynomial P, fixed f, n, and a term A encoding 
a set A C W, we can construct a term OF rma that computes P(|f|4, n) using 
tryall and the functions add, mult from Example 1. By induction on P, we have 
CAREN = P(| f|; n), while its cost is bounded by a polynomial over |f|, n, |A]. 


5.4 Finalising Execution 


Now, we can define execution in a way that can be bounded by a polynomial 
interpretation. We let execute : (word = word) nat > nnat > nat > set 
config = word and will define rules to reduce expressions execute Fnm zac 
where 
e F is the function to be used in oracle calls. 
e n — l is a bound on the number of steps that can be done before the next 
oracle call (or until the machine completes execution). 


e mis essentially a natural number that represents the number of steps that 
have been done so far. We use a new sort nnat with function symbols o : nnat 
and n : nnat = nnat because we will let Snnat = (N, <), so ordered in the 
other direction. This will be essential to find an interpretation for execute. 
z is a unary representation of |w|, where w is the input to the OTM. 


c is the current configuration. 

Using helper symbols F’ : (word = word) = nat = config = word, execute’ : 
(word => word) nat > nnat > nat > set = config = word, extract : tape > 
word and minus : nat => nnat => nat, we introduce the rules: 


88 P. Baillot et al. 


F Fw — F F (len w) (qo (split(L []) (R w)) (split(L []) (R [])) (split(L {]) (R []))) 
F Fzc> execute FORM h oze 


execute F (sn) m za (qt1 t2 t3) > 

execute F n (n m) z (step F (q tı tz t3)) for q ¢ {query, end} 
execute F (sn) m za (query tı t2 t3) > 

execute’ F n (n m) z (setcons (extract t2) a) (query ty tz t3) 

execute’ F nm zac — execute F (minus Op% $" m) m za (step F c) 
execute F n m za (end tı t2 t3) > extract ty 
extract (split (L x) (R y)) + clean y 
minus zo > £ minus0 (ny) > o minus (s x) (ny) —> minus z y 


That is, an execution on FSyw starts by computing the length of w and 
Pum(|flø, |w]), and uses these as arguments to execute. Each normal transition 
lowers the number n of steps we are allowed to do and increases the number n of 
steps we have done. Each oracle transition updates A, and either lowers n by one, 
or updates it to the new value Py,(|f|,|w]) — m, since we have already done m 
steps. Once we read the final state, the answer is read off the first tape. 

For the interpretation, note that the unusual size set of nnat allows us to 
choose Je inus = Axy. max(x — y,0) without losing monotonicity. Hence, in every 
step execute F nm zac, the value max(Py([F]’, [2]°) + 1 — [mJ], [n]*) decreases 
by at least one. Since [OPMT F; z; a]? = Py(LF], [2]°) regardless of a, we can 
use this component as part of the interpretation. The full interpretation functions 
for execute and F are long and complex, so we will not supply them here. They 
can be found in [5]. We will only conclude the other side of Theorem 2: 


Theorem 4. If W € BFF, then there exists a finite orthogonal STRS R such that 
F computes Y in R and R admits a polynomially bounded interpretation. 


6 Conclusions and Future Work 


In this paper, we have shown that BFF can be characterized through second-order 
term rewriting systems admitting polynomially bounded cost-size interpretations. 
This is arguably the first characterization of the basic feasible functionals purely 
in terms of rewriting theoretic concepts. 

For the purpose of presentation, we have imposed some mild restrictions that 
we believe are not essential in practice. In future extensions, we can eliminate 
these restrictions, such as allowing lambda-abstraction, non-base type rules, and 
higher-order functions (assuming that F is still second-order). We can also allow 
arbitrary inductive data structures as input. 

Another direction we definitely wish to explore is the characterization of 
polynomial time complexity for functionals of order strictly higher than two. It 
is well known that the underlying theory in this case becomes less robust than 
in type-2 complexity. As such, it is not clear which of the existing proposals for 
complexity classes of higher-order polytime complexity we can hope to capture 
within our framework. 
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Abstract. This paper focuses on succinctness results for fragments of 
Linear Temporal Logic with Past (LTL) devoid of binary temporal oper- 
ators like until, and provides methods to establish them. We prove that 
there is a family of cosafety languages (£Ln)n>1 such that Ln can be ex- 
pressed with a pure future formula of size O(n), but it requires formulae 
of size 2°() to be captured with past formulae. As a by-product, such 
a succinctness result shows the optimality of the pastification algorithm 
proposed in /Artale et al., KR, 2023]. 

We show that, in the considered case, succinctness cannot be proven by 
relying on the classical automata-based method introduced in /Markey, 
Bull. EATCS, 2003]. In place of this method, we devise and apply a 
combinatorial proof system whose deduction trees represent LTL formu- 
lae. The system can be seen as a proof-centric (one-player) view on the 
games used by Adler and Immerman to study the succinctness of CTL. 


Keywords: Temporal logics - LTL - Succinctness - Proof systems. 


1 Introduction 


Linear Temporal Logic with Past (LTL [17[23]) is the de-facto standard language 
for the specification, verification, and synthesis of reactive systems [19]. Concern- 
ing these reasoning tasks, two fundamental subsets of LTL-definable languages 
come into play, namely, safety and cosafety languages. Safety languages express 
properties stating that “something bad never happens”; cosafety languages, in- 
stead, express the fact that “something good will eventually happen”. The crucial 
feature of cosafety (resp., safety) languages is that checking a finite prefix of an 
infinite trace suffices to establish whether the entire trace belongs (resp., does 
not belong) to the language. Such an ability of reducing reasoning over infinite 
words to the finite case plays a fundamental role in lowering the complexity of 
reasoning tasks [16]. Because of this, while LTL was commonly interpreted over 
infinite traces, recent work mainly considers its finite trace semantics [8[18[22). 

In what follows, given a set of temporal operators S, we write LTL[S] for th 
set of all LTL formulae in negation normal form whose temporal operators are 
restricted to those in S. Similarly, we denote with F(LTL[S]) the set of formulae of 
the form F(a), with a € LTL[S]. Here, F is the future modality (a.k.a. eventually). 
© The Author(s) 2024 
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There are two notable syntactic characterizations of the cosafety languages 
of LTL. The first one is a pure future characterization given by the logic LTL|X, U] 
featuring modalities next X and until U. The second one is an eventually pure 
pas] characterisation given by the logic F(pLTL), where pLTL is the pure past 
fragment of LTL, that is, the restriction of LTL to past modalities. Analogous 
characterizations have been provided for safety languages. 

As for applications, F(pLTL) is considered to be much more convenient than 
LTL|X, U], because, starting from an (eventually) pure past formula of size n, it 
is possible to build an equivalent deterministic finite automaton of singly expo- 
nential size in n [7]. In the case of LTL[X, U], such an automaton may have size 
doubly exponential in n [16|. This computational advantage of pure past formu- 
lae originated a recent line of research that focuses on the pastification problem, 
i.e., the problem of translating an input pure future formula for a cosafety (or 
safety) language into an equivalent pure past (equivalently, eventually pure past) 
formula. While the best known algorithm for LTL[X, U] is triply exponential [7], 
a singly exponential pastification algorithm to transform LTL[X, F] formulae into 
F(LTL[Y, Y, O]) ones has been recently developed in [A]. Here, modalities yester- 
day Y and once O are the “temporal reverses” of modalities X and F, respectively, 
whereas the weak yesterday operator Y is the dual of Y (we formally define the 
semantics of all these modalities in Section|2). No super-polynomial lower bounds 
for these pastification problems are known. 

While the above two characterisations of cosafety languages have been thor- 
oughly studied in the last decades in terms of expressiveness [6] and complex- 
ity [2], their succinctness is still poorly understood. To the best of our knowledge, 
the only known result is the one in [3] showing that F(pLTL) can be exponen- 
tially more succinct than LTL[X, U] — note that lower bounds to pastification 
problems require the opposite direction] 

In this paper, we study the succinctness of LTL[F] against F(LTL[Y, Y, O, H]), 
where H is the dual of O, as well as the succinctness of their reverse logics [3], 
that is, the succinctness of F(LTL[O]) against LTL[X, X, F, G]. For these fragments 
of LTL, we establish the following two results. 


Theorem 1. F(LTL[O]) can be exponentially more succinct than LTL[X, X, F, G]. 
Theorem 2. LTL[F] can be exponentially more succinct than F(LTL[Y, Y, O, H]). 


The two theorems prove an incomparability result about the succinctness of 
the characterizations of cosafety languages in the pure future and eventually 
pure past fragments of LTL. Theorem [1] and Theorem [2] hold for both the finite 
and infinite trace semantics of LTL (however, due to lack of space, we report the 
proof of Theorem [I] only in the case of finite traces). As a corollary, Theorem [2] 
implies that the pastification algorithm proposed in [4] is optimal. 


3 “Eventually pure past” refers to formulae of the form F(a), with a pure past formula. 

4 A logic L can be exponentially more succinct than a logic L’ whenever there is a 
family of languages (Ln)n>1 such that Ln can be expressed in L with a formula of 
size polynomial in n, whereas expressing Ln in L’ requires formulae of size 2°”). 
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Corollary 1. The pastification of LTL[X,F] into F(LTL[Y,Y,0,H]) is in 2°. 


To prove Theorem |1| we devise and apply a combinatorial proof systemP| 
Given two sets of finite traces A and B, with the proof system one can establish 
whether there is a formula y in LTL[X, X, F,G] that separates A from B, that is, 
y is satisfied by all traces in A (written A — vy) and violated by all traces in 
B (written B tL p). A proof obtained by applying k rules of the proof system 
corresponds to the existence of one such separating formula of size k. 

The proposed combinatorial proof system can be seen as a reformulation in 
terms of proofs of the games introduced by Adler and Immerman to show that 
CTL* is O(n)! more succinct than CTL [I]. They are two-player games that 
extend Ehrenfeucht—Fraissé games for quantifier depth in a way that captures 
the notion of formula size instead. However, unlike Ehrenfeucht—Fraissé ones, in 
Adler-Immerman games one of the two players (the duplicator) has always a 
trivial strategy. With our proof system, we show that removing the duplicator 
from the game yields a natural one-player game based on building proofs. 

To prove Theorem |1| by applying the proposed proof system, we provide, 
for every n > 1, a formula @, in F(LTL[O]) of size linear in n and two sets of 
traces A,, and B, such that A, = n and B, IL n, and then we show that 
the smallest deduction tree that separates A,, from B,, has size at least 2”. This 
implies that all formulas of LTL[X, X, F, G] capturing ®,, are of size at least 2”. 

Once Theorem [I] is established, one can prove Theorem [2] by “reversing” 
the direction of time, building correspondences between formulae of LTL[F] and 
FLTL[O], and between formulae of F(LTL[Y, Y,O,H]) and LTL[X, X, F, G]. 

In the context of LTL, the main technique to prove “future against past” suc- 
cinctness discrepancies is arguably the automata method introduced by Markey 
in [20]. At its core, such a method exploits the fact that pure future formulae 
of LTL can be translated into nondeterministic Btichi automata of exponential 
size, and thus no property requiring a doubly exponential size automaton can 
be represented succinctly. The introduction of our proof system raises the ques- 
tion of whether Markey’s method can be applied to establish our succinctness 
results. We prove that it cannot be used in our context. In order to obtain such 
a result, the key observation is that, given a cosafety formula Fw, a deterministic 
Büchi automaton (DBA) for Fy of size £, and a prefix IT consisting of k temporal 
operators among X, F, and G, the minimal DBA for the formula I7Fw has size 
polynomial in k and Z. 


Synopsis. Section[2]introduces the necessary background. Section 3]discusses the 
languages we use to prove Theorem |1| Section [4] introduces the combinatorial 
proof system. In Section |[5]we prove Theorem|{I] In Section |6]we prove Theorem [2] 
and Corollary [1] The limits of the automata-based method to prove succinctness 
lower bounds are discussed in Section [7] Related and future work are discussed 
in Section [3] An extended version of the paper, complete of all proofs, can be 
found in {13}. 


5 We use the term “combinatorial” for our proof system to conform with the terminol- 
ogy from the Workshop “Combinatorial Games in Finite Model Theory”, LICS‘23. 
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2 Preliminaries 


In this section, we introduce background knowledge on LTL focusing on finite 
traces. All definitions admit a natural extension to the setting of infinite traces. 

Let X be a finite alphabet. We denote by X* the set of all finite words over X 
and by X* the subset of finite non-empty words. We use the term trace as a syn- 
onym of word. A language £ over X is a subset of X*. Let o = (wo, W1,---, Wn) 
be a word in X*. We denote by |ø| the length of o, that is, n+1. A position in ø is 
an element in the set pos(c) := [0, n]. For every i € pos(c), we denote by oļi] € X 
the letter w;, and by oļi) the word (w;,..., Wn). We say that position j of ø has 
type T E€ X whenever o[j] = r. Given two traces cı and o2, we write o1 E a2 
whenever g; is a suffix of a2, that is, there is j E€ pos(o2) such that o1 = o9[J). 
Given a word o’ € X*, we denote the concatenation of o’ to o as o-o’, or simply 
oo’. Given two languages £ and L’, we define L- L' = {0o -o' | o € L,o' EL}. 
We sometimes apply the concatenation to a word and a language; in these cases 
the word is implicitly converted into a singleton language, e.g., o - L := {0}; L. 
With A Cg, B we denote the fact that A is a finite subset of the set B. 


Linear Temporal Logic with Past. In the following, we introduce syntax and 
semantics of Linear Temporal Logic with Past (LTL) restricted to those operators 
that we are going to use throughout the paper. In particular, we omit the future 
operators until and release, and their past counterparts (since and triggers). Let 
AP be a finite set of atomic propositions. The syntax of the formulae over AP 
is generated by the following grammar: 


gp=pl—plevelyaAgp Boolean connectives 
| Xy | Xy | Fy | Ge future operators 
| Yọ | Yọ | Oy | He past operators 


where p € AP. The temporal operators are respectively called: X, nert; X, 
weak neat; F, future; G, globally; Y, yesterday; Ý, weak yesterday; O, once; H, 
historically. For the rest of the paper, we let OP := {X, X, F, G, Y, Y, O, H}. 

For every formula y, we define the size of p, denoted by size(y), inductively 
defined as follows: (i) size(p) = 1 and size(7p) := 1, (ii) size(@y) = size(y) + 1, 
for ® € OP, and (iii) size(y, ® p2) = size(y1)+ size(y2) + 1 for @ € {V, A}. 

We focus on the interpretation of LTL formulae over finite non-empty traces 
over the alphabet 24”. From now on, we set the alphabet X to be 24”. Given 
a word o € Xt, the satisfaction of a formula y by o at time point / position 
i € pos(a), denoted by 0,7 |} y, is defined as follows: 


1. oi} p if p€ ølļil; 

2. o, i |= ap if p ¢ oli]; 

3. o, i H| yi V go iff o,i H y1 or 0,2 H p2; 

4. oi H| p1 ^ y2 iff o,t H yı and g, i = p2; 

5. 0,1 EF Xy if i+1<|olando,i+1 Ey; 

6. at EXy iff either i+1=|o| or o,i +1 H g; 
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7. o,i = Fy iff there exists i < j < |o| such that ø, j = 9; 
8. a, H Gp iff for alli <j < |ø], it holds g, j = y; 

9. Ft | Ye iff «>Oando,i-1lE yg; 

10. g,i EY iff either i = 0 or g,i — 1 E 9; 

11. o, i = Oy iff there exists 0 < j < i such that ø, j = y; 
12. o,i | Hy iff for allO< j < i, it holds ø, j Fy. 


For every formula y, we say that a trace o satisfies y, written o = y, if 
7,0 y. The language of p, denoted by L(y), is the set of words ø € X+ such 
that o — y. Given two formulae y and Y, we say that ọ is equivalent to 4, 
written y = Y, whenever L(y) = L(w). 


Fragments of LTL. Given a set of operators S C OP, we denote by LTL[S] 
the set of formulae only using temporal operators from S. When dealing with 
a concrete S, we omit the curly brackets and write, e.g., LTL[X, F] instead of 
LTL[{X, F}]. Whenever S contains only future operators (resp., past operators), 
the logic LTL[S] is called a pure future (resp., pure past) fragment of LTL. Fi- 
nally, we denote by F(LTL[S]) (resp., G(LTL[S])) the set of formulae of the form 
F(a) (resp., G(a@)), where a is a formula of LTL[S]. A language £L C X* is a 
cosafety language whenever L = K - X*, for some K C X*. A language £ is 
a safety language whenever its complement £ is a cosafety language. For every 
formula y in the fragments LTL[X, F] and F(LTL[Y, Y,O,H]), it holds that L(y) 
is a cosafety language. Similarly, for every formula y in the fragments LTL[X, G] 
and G(LTL[Y, Y, O, H]), it holds that L(y) is a safety language. 


The pastification problem. Given two sets S' C {X, X,F, G} and S$’ C {Y, Y,O, H}, 
the pastification problem for LTL[S] into F(LTL[S’]) asks, given an input formula 
y € LTL[S], to return a formula w from F(LTL[$’]) such that y = 7. An algorithm 
for the pastification problem is said to be of k-exponential size (for k € N fixed) 
whenever the output formula w is such that size(q) € exp’ (poly(size())), where 
exp*(.) is the k-th iteration of the base-2 tetration function given by exp? (n) = n 
and exp't!(n) = 2°P'(™), In [4], an exponential time, 1-exponential size, pasti- 
fication algorithm for LTL[X, F] into F(LTL[Y, Y, O]) is presented. 


Succinctness. Given two sets S, S” C OP, we say that LTL[S] can be exponentially 
more succinct than LTL[S’] if there is a family of languages (£,,)n>1 such that, 
for every n > 1, Ln C Xt, for some alphabet Xn, and: 


— there is y € LTL[S] such that L(y) = £n and size(y) € poly(n), and 
— for every w € LTL[S"], if L(Y) = Ly then size(y) € 2°™, 


It is worth noticing that the above-given syntax for LTL is already in negation 
normal form, that is, negation may only appear in front of atomic propositions. 
Allowing negations to occur freely in the formula neither increase expressiveness 
nor succinctness, as the grammar above is already closed under dual operators, 
e.g., Gp = -=F-y, and the size of a formula does not depend on the number 
of negations occurring in literals. Because of this, all results given in the paper 
continue to hold when negation is added to the language. 
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3 A problematic cosafety language for LTL[X, X, F, G] 


We now describe the property that we will exploit to prove that F(LTL[O]) can 
be exponentially more succinct than LTL[X, X, F, G] (Theorem|1). More precisely, 
we define a family of F(LTL[O]) formulae (@,,),>1 such that, for every n > 1, n 
has size in O(n) and captures a property requiring a formula of size at least 2” 
to be expressed in LTL[X, X, F, G] (as we will see in Section [5). 

Let n > 1. We consider the alphabet of 2n + 2 distinct atomic propositions 
AP := {p,q} UPUQ, with P := {p1,..., Pn} and Q = {q1,.--, qn}. For all 
n > 1, the formula ®, of F(LTL[O]) is defined as follows: 


n =F (a Nai (a A O(A pi)) V (aqi AOA ~p:))) ) ; 


Observe that, for every n > 1, size(®,) belongs to O(n). The formula @,, is 
satisfied by those traces o € XT where there is a position j € pos(o) such that 
(i) q € oly] and (ii) for every i € [1,n] there is a position k; € [0,7] such that 
D € of|ki] and q; € oly] if and only if pi € ofki]. Notice that each k; € [0,7] 
depends on an index i € [1,n]. Therefore, for distinct i,j € [1,n] the positions 
ki and kj might differ. This feature is crucial to get a language which has a 
compact definition in F(LTL[O]), but is hard to capture for LTL[X, X, F, G]. 

As a matter of fact, requiring the various k; to coincide yields a formula 
Wn characterising the property: “the trace ø has two positions j > k such that 
p € ofk], q € olj] and, for every i € [1,n], qi € oly] if and only if p; € o[k]”. 
This formula is known to require exponential size in LTL [20], and therefore in 
F(LTL[O]) as well. In a sense, the asymmetry obtained by relaxing the uniqueness 
of the position k above is what makes ®,„ being easily expressible in F(LTL[O]), 
but difficult to characterise in LTL[X, X, F, G]. The same trick, applied to posi- 
tion j instead of position k, can be used to obtain a family of formulae that 
can be represented in an exponentially more succinct way in LTL[F] than in 
F(LTL[Y, Y,O,H]). This form of “temporal duality” is what we will ultimately 
exploit in Section [6]to prove Theorem [2] 

The following lemma shows that ®,, can be expressed in LTL[F] (and thus in 
LTL[X, X, F, G] as well) with a formula of exponential size. 


Lemma 1. For every n > 1, there is a formula &, in LTL[F] such that Pl, = Bn 
and size(@!,) < 2"+1(n + 2)?. 


Proof sketch. Given 7T € 2”, we write 7 for the element of 2° such that p; € 7 if 
and only if q; € F, for every i € [1,n]. Then, the formula @’, is defined as follows: 


Pt) cose (Aver FARA FA Ur)) A Ape pyr F(A PA FGA Ue))), 


where Yr := (Ag era Ma EQ\F =q). 


4 A combinatorial proof system for LTL[X, X, F, G] 


In this section, we introduce the proof system that we will later employ to 
prove Theorem [1] and discuss its connection with Adler-Immerman games [Í]. 
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Further notation. Let A C X+, with X := 24? for some set of propositions AP. 
We define AX := {o[1) : o € A s.t. |o| > 2}, i.e., the set of non-empty traces 
obtained from A by stepping each trace one position to the right. We define 
AS := {o|j):0 € A and j € pos(a)}, i.e., the set of all suffixes of the traces in A. 
We say that a map f : A > Nisa future point for A whenever f(o) € pos(c) for 
every ø € A. We write F4 for the set of all maps that are future points for A. 
Given a future point f for A and ø € A with f(e) = i, we define of := ofi) and 
Af := {of : o € A}. Note that, by definition, AS = U pep, AP. 

For a formula y of LTL, we write A = p whenever (0,0) = y for every 
o € A, and Al y whenever (0,0) j for every o € A. Given two sets of traces 
A,B C X+ we say that y separates A from B whenever A / y and B IL y. We 
write (-,-),> C Xt x XY for the separable relation on S C OP, i.e., the binary 
relation holding on pairs (A,B) whenever there is some formula from LTL[S] 
that separates A from B. Note that, when A and B are finite sets and X € S, 
deciding whether (A, B} holds is trivial. 


Lemma 2. Let A,B C XT and S C OP. Then, (A,B), implies ANB = Ø. 
Moreover, if A and B are finite sets and X € S, AN B = implies (A, B} g. 


Proof sketch. For the first statement, clearly if AN B Æ Ø then it is not possible 
to separate A from B. To prove the second statement, one defines a disjunction y 
of formulae, each characterising an element in A. For instance, for AP = {p,q}, 
the trace {p}{q} can be characterised with the formula (pA-q)\X(qA7pAXL), 
where L := p A œp. Then, y separates A from B. 


We mainly consider the relation (-,-) , with S being the set {X, X, F, G}, and 
thus from now on simply write (-,-) when considering this concrete choice of S. 


4.1 The proof system 


The combinatorial proof system that we define is a natural-deduction-style proof 
system. It is made of several inference rules of the form Hi o o Ha, to be read 
as “if the hypotheses H4, ..., Hn hold, then the consequence C holds”. As usual, 
proofs within the proof system have a tree-like presentation. An example of 
such a deduction tree is given in Figure [2} where a := {p} and b := Ø, with 
p € AP. This is a deduction tree for the term ({abaa, aaaa}, {aaab}), which 
we call the root of the deduction tree. In Figure |2| to the root it is applied 
the rule OR, with hypotheses ({abaa}, {aaab}) and ({aaaa}, {aaab}). In turn, 
these two hypotheses are derived in the deduction tree by eventually reaching 
applications to the rule ATOMIC. A deduction tree is always closed: all maximal 
paths from the root ends with an application of the rule ATOMIC. This means 
that a rule of the proof system must be applied to each term (A, B} appearing 
in the tree. We call a tree a partial deduction tree if this property is not enforced, 
namely when there might be unproven terms (A,B). The size of a deduction 
tree is the number of rules in it. For instance, the tree in Figure |2}has size 5. 
We define the inference rules of the proof system in Figure a us briefly 
describe these rules. The ATOMIC rule allows deriving (A, B) if every trace in A 
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AH BIL Aı, B A2, B A,B A, B 
ATOMIC Ara Bla qa literal OR (41, B) (A2, B) (A, Bı) (A, Ba) 
(A, B) (Ai W Ao, B} (A, Bı W Bo) 
(AB. ACX- X+t ANB): BED- 
NEXT (A,B) WEAKNEXT (A,B) 
r (Af, BS) (AS, BS) 
UTURE A,B) fEFa GLOBALLY TA, B) fEFsgB 
Fig. 1. The combinatorial proof system. Here, A, B C X7. 
y 
Arome {baa} = 7p {aab} IL =p {aaaa, aaa, aa, a} = p {b} Lp Aout 
N ({baa}, {aab}) ({aaaa, aaa, aa, a}, {b}) G 
EXT A 
6 ({abaa}, {aaab}) ({aaaa}, {aaab}) ee 
R 


({abaa, aaaa}, {aaab}) 


Fig. 2. A deduction tree proving ({abaa, aaaa}, {aaab}). Here, a := {p} and b = Ø. 


satisfies some literal œ and every trace in B violates a. The OR rule corresponds 
the case of A being separable from B via a formula of the form yi V p2. In 
this and the rule AND, W stands for the union of disjoint sets. Intuitively, OR 
can be applied by proving that yı separates a set A, C A from B and that yo 
separates the set A\ A; from B. The NExT rule allows separating A from B with 
a formula of the form Xy, by checking whether the sets obtained by stepping 
all traces in A and B to next time point are separable by y. The condition 
AC SX’. X*is necessary to ensure that all traces in A have a next time point. 
The FUTURE rule separates A from B by following this principle: if the set 
obtained by choosing one suffix for every trace in A is separable from the set of 
all suffixes of the traces in B, then there is a formula of the form Fy separating 
A from B. The rules AND, WEAKNEXT and GLOBALLY are designed to be duals 
of the rules OR, NEXT and FUTURE, respectively. 

By using the proof system one can derive whether a pair of (finite or infinite) 
sets of traces (A, B) is in the separable relation (-,-). Because of Lemma [| this 
is not, however, a particularly useful application. Instead, the proof system is to 
be used to derive non-trivial lower (or upper) bounds on the size of the minimal 
formula that separates A from B. This is done by studying the sizes of the 
possible deduction trees of (A, B) in the proof system. 

For instance, the deduction tree of Figure [2] shows that there is a formula y 
having size(y) = 5 and separating {abaa, aaaa} from {aaab}. This formula is 
found by simply reading bottom-up, starting from the root, the rules in the 
deduction tree, associating to each rule the homonymous operator of LTL. In the 
case of the tree in Figure [2] we have vy := (X7p) V Gp. Note that the formula y 
is not the smallest separating formula, because the formula XXGp also separates 
{abaa, aaaa} from {aaab} and corresponds to a tree of size 4. 

The correspondence between deduction trees and formulae is formalised in 
the next theorem (we remark that A and B below do not need to be finite sets). 
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Theorem 3. Consider A,B C Xt. Then, the term (A, B) has a deduction tree 
of size k if and only if there is a formula p of LTL[X,X,F,G] separating A from 
B and such that size(y) = k. 


Proof sketch. We leave to the reader the proof of the left to right direction of 
the theorem (shown by induction on k), as it is not required to establish lower 
bounds on the sizes of formulae, and focus instead on the right to left direction. 

Consider a LTL[X, X, F,G] formula y that separates A and B. We construct 
a deduction tree of size size(y). We proceed by structural induction on g. 


base case: ¢ literal. The deduction tree consists of a single rule ATOMIC. 


induction step, case: y = yı V y2. Define A; := {a € A: aE yi} and 
Ag := A\ Aj. From AF ọ and B IL y we get A; = y; and B IL vy; for both 
i € {1,2}. By induction hypothesis (A;, B} has a deduction tree of size size(y;). 
By applying the rule AND, we obtain a deduction tree for (A, B) having size 
size(y1) + size(y2) + 1 = size(y). 

induction step, case: y = Xy. Since A | Xy, for every o € A we have |o] > 2 
and (a,1) = Y. By definition of AX, A C ©. + and AX H yw. From BILXy, for 
every o’ € B, if |o’| > 2 then (o’,1) Aw. By definition of BX, we have BX IL y. 
By induction hypothesis, (A*, B*) has a deduction tree of size size(7). We apply 
the rule NEXT to obtain a deduction tree of (A, B} of size size() +1 = size(y). 
induction step: y = Fw. Since A |= Fw, for every ø € A there is jọ € pos(c) 
such that (o, jo) = Y. Let f € Fa be the map given by f(c) = j, for every 
o € A. We have Af | y. We show that BE IL. Ad absurdum, suppose there 
is 01 € B® such that cı = w. By definition of B® there is o2 € B such that 
cı E og. Then, (02,0) H Fy. However, this contradicts the fact that B IL Fw. 
Therefore, BS IL. By induction hypothesis, (Af, B€} has a deduction tree of 
size size(q). By applying the rule FUTURE, we obtain a deduction tree for (A, B} 
of size size(w) + 1 = size(y). 


induction step, cases y = %1 A Y2, Y = Xy and y = Gy. The cases for 
p = p1 A p2, P = Xw and y = Gy are analogous to the cases y = 1 V 2, 
y = Xv and y = Fy, respectively. 


The right to left direction of Theorem [3] implies the following corollary that 
highlights how our proof system is used for formulae sizes lower bounds. 


Corollary 2. Consider a formula p in LTL[X,X,F,G]. Suppose that (i) there 
are A,B C X+ such that p separates A from B, and (ii) every deduction tree of 
(A, By has size at least k. Then, size(y) > k. 


4.2 Connections with the Adler-Immerman games 


As outlined in Section [I] our proof system can be seen as an adaptation of the 
games for CTL introduced by Adler and Immerman in [I]. We now illustrate 
this connection. Readers that are mostly interested in seeing our proof system 
in action may want to skip to Section [5] 
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The Adler-Immerman games extend the classical Ehrenfeucht—Fraissé games 
in order to bound the sizes of the formulae that separate two (sets of) struc- 
tures, instead of their quantifier depths. As in the Ehrenfeucht—Fraissé games, 
the Adler-Immerman games are two-player games between a spoiler and a du- 
plicator. The game arena is a pair of sets of structures (A,B), and at each 
round of the game the spoiler choses a rule r to play (there is one rule for each 
Boolean connective and operator of the logic) and plays on one set of structures 
accordingly to what r dictates. The duplicator replies on the other set, again 
accordingly to r. The goal of the spoiler is to separate A from B (i.e., to show 
(A, B) in the context of CTL) in fewer rounds as possible, whereas the duplica- 
tor must prolong the game as much as she can. The length of the minimal game 
corresponds to the size of the minimal formula separating A from B. The main 
difference between an Adler-Immerman game and an Ehrenfeucht—Fraissé game 
is that, in the former, in each round the duplicator is allowed to make copies 
of the structures in the set she is playing on, and to play differently in each of 
these copies. This extra power given to the duplicator is why the games end up 
capturing the notion of size of a formula. 

In the setting of the Adler-Immerman games, the rule for the operator F in 
LTL would be spelled as follows: “For each structure o € A, the spoiler moves to 
a future position of o (i.e., a[j) for some j € pos(o)). The duplicator answers 
by first making as many copies of elements in B as she wants, and then selects 
a future position for each of these copies”. Because she can make copies, the 
duplicator has a trivial optimal strategy: at each round, copy the structures in 
B as much as possible, choosing a different position in each copy. The rule for F 
the simplifies to “For each structure o € A, the spoiler moves to a future position 
ofo. The duplicator answers with BS”, which corresponds to our rule FUTURE. 

While Adler and Immerman discuss the fact that the duplicator has a trivial 
optimal strategy, they do not restate the games with only one player (mainly 
to not lose the similarity with the Ehrenfeucht—Fraissé games). Our work shows 
that removing the duplicator yields a natural one-player game based on building 
proofs within a proof system. We think that this proof-system view has a few 
merits over the games. When proving lower bounds, it reduces the clumsiness of 
discussing the various moves of the spoiler and the replies of the duplicator. The 
combinatorics is of course still there, but not the players, and this substantially 
simplifies the exposition. Second, the proof system resembles the way in which 
one reasons about the algorithmic problem of separating A from B. For instance, 
the algorithm presented in 21] uses decision trees for solving this problem. These 
decision trees, when they encode a formula from LTL[X, X,F,G], can be easily 
translated into proofs in our proof system. We discuss more this line of work 
connected with LTL formulae learning and explainable planning in Section [8] 


5 The exponential lower bound for n 


In this section, we show that, for every n > 1, all formulae of LTL[X, X, F, G] 
characterising the F(LTL[O]) formula @,, defined in Section[3]have size at least 2”. 
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According to the definition of p, we consider a set of 2n + 2 distinct atomic 
propositions AP := {p,q}UPUQ, with P := {p1,...,pn} and Q :={q,.--, dn}; 
and X := 24? Throughout the section, let a(n) := 2”+1 (n + 2)?, i.e., the upper 
bound given in Lemma |1|for one of these formulae. 

Following oef] to prove the exponential lower bound we 


1. define A,B C X*+ such that ®,„ separates A from B (Section 5.1), and 
2. prove that every deduction tree for (A, B) has size at least 2” Section [5.2). 


5.1 Setting up the sets of traces A and B 


We define the sets of types Tp := {rT E X : P € randt C PU {p}} and 
Tg = {TEX :]ETandr C QU {qh}. Similarly to what done in the proof 
of Lemma |i} we write {9 for the involution on Tp U Tg sending a type T € Tg 
into the (only) type 7 € Tp with q; € 7 if and only if p; € 7, for every i € [L, n]. 

Throughout the section, we fix a (arbitrary) strict total order < on the ele- 
ments of Tg. Then, we denote by E € (9° . Tg)?” -@*™ the (only) finite word 
enumerating all elements in Tg, with respect to the order <. Note that, in E, 
between any two subsequent elements of Tg there are a(n) positions of type Ø. 
This “padding” added to the enumeration is required to handle the rules NEXT 
and WEAKNEXT. Given T € Tg, we write €|_, for the trace obtained from € by 
eliminating the only position of type 7, together with the a(n) positions of type 
Ø preceding it. So, E_, belongs to (O°) . To)?” T1 . ge), 

For instance, consider the case of n = 2, so Q = {q1, qo} and a(n) = 128. 
Suppose {q} < {q,q1} < {9,42} < {7, q1, q2} to be the strict order on Tg. Then, 


E= g128 ; {qt g gis . {q, a} P gis . {G, q2} . gis : {G, q, 42} g grs 
E|_ {G42} = girs f {0 ` gre ` {4, qı} ` as ` {q, M1; 92} ` em 
For the rest of the paper, we denote with A and B the sets: 

A = {Ø -T-E: j EN,T € To}, B := {@).7-(E|_,): j E N, T € To}. 
Lemma 3. The formula Pn separates A from B. 
Proof. Let j € N and 7 € Tg. In a nutshell, the fact that Z1 -F-E |= ®,, follows 
from the fact that 7 occurs in E, and from the position corresponding to T one 
can refer back to 7 and find in this way a position satisfying p; if and only if 
qi € T, for every i € [1, n]. However, since T is removed from &|_,, we see that 
b := @1-7-(E|_,) Æ Bn: indeed, b[j] = 7 corresponds to the only position in 


b satisfying p, but + does not appear in b (since it does not appear in E|_,). 
Therefore, A = @, and B IL 8n. 


5.2 Separating A from B requires an exponential proof 


We now show that every deduction tree for (A, B) has size at least 2”. To do so, 
we use a relation ~ that, roughly speaking, states what elements (a, b) € AS x BE 
are similar enough to require a non-trivial proof in order to be separated using 
the proof system. Formally, for a,b € +, we write a © b whenever: 
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a and b are in the language Ø” - p- @(") . O*, for some u € N and p € To UTp. 


The central issue in the proof of the lower bound is counting how many of these 
pairs a ~ b are preserved when applying the rules of the proof system. This count 
is done inductively on the size of the deduction tree, and allows us to derive the 
following lemma. 


Lemma 4. Let r1,t1,...,7m,tm E N and let T1,...,Tm E€ Tq be pairwise dis- 
tinct sets. Consider A C AS, B = {(o% -7-E|_,,)[ri) : i € [1,m]}, and C = 
{(a,b) €E Ax B: ax b}. Every deduction tree for (A, BY has size at least |C|+1. 


Proof. Below, suppose that (A, B} has a deduction tree (else the statement is 
trivially true). In particular, let 7 be a minimal deduction tree for (A, B}, and 
assume it has size s. Note that the hypothesis that 71,..., 7 are distinct implies 
|B| < 2”, which in turn implies |C| < 2” (by definition of ~, for every b € B 
there is at most one a € AS such that a ~ b). Then, w.lo.g. we can assume 
s < a(n); otherwise the lemma follows trivially. 

During the proof, we write < for the strict total order on elements of To 
used to construct the trace € enumerating Tg. Before continuing the proof of 
the lemma, we highlight a useful property of the elements of C. 


Claim 1. Let (a,b) € C and i € [l,m] with b = (t: - 7 - E|_,,)[r;). Then, 
b= Ø" . p: ØM) .g, for some u E N, p € {T} U {7 € To : T < Ti} anda € &*. 


In a nutshell, this claim tells us that for every (a,b) € C we have b Z E. 

Let us go back to the proof of Lemma f] If A = Ø or m = 0 then C = @ and 
the lemma follows trivially. Below, let us assume A 4 @ and m > 1. We prove 
the statement by induction on the size s of T. 

In the base case s = 1, J is a simple application of the rule ATOMIC. This 
means that for every a € A and b € B we have a[0] 4 b[0]. By definition of ~, 
this implies C = Ø, and therefore s > |C| +1. 

Let us then consider the induction step s > 2. Note that if |C| < 1 then the 
statement follows trivially. Hence, below, we assume |C| > 2. We split the proof 
depending on the rule applied to the root (A,B) of T. Since s > 2, this rule 
cannot be ATOMIC. We omit the cases for OR and AND, as they simply follow 
the induction hypothesis, and focus on the rules related to temporal operators. 


e case: rules NEXT and WEAKNEXT. We consider NEXT and WEAKNEXT 
together, as both require (AX, B*). Perhaps surprisingly, this case is non-trivial. 
The main difficulty stems from the fact that C’ := {(a,b) € AX x B* : a% b} 
might in principle even be empty, and thus applying the induction hypothesis 
on (AX, B*) is unhelpful for concluding that s > |C| +1. We now show how 
to circumvent this issue. The minimal deduction tree for (AX, B*) has size s — 
1. Within this deduction tree, consider the maximal partial deduction tree 7’ 
rooted at (AX, B*) and made solely of applications of the rules AND, OR, NEXT, 
and WEAKNEXT. Let (Ai, B1),...,(Aqg,Bq) be the leafs of such a tree. Let 
j € [L,q]. In the tree T, to (Aj, B;) it is applied a rule among ATOMIC, FUTURE 
and GLOBALLY. Let €; > 1 be the number of NEXT and WEAKNEXT rules used 
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in the path of T from (A, B} to (A;,B;). Note that, from s < a(n), we have 
£j < a(n). We define the following two sets Cj and N}, whose role is essentially 
to “track” the evolution of pairs in C with respect to A; x Bj: 


Cy = { (a63), 6165) € Aj x By : (a,b) € C, alz) ~ O1E5)}, 
N; = {(al€j), 6163) € Aj x By : (a,b) € C, ales) # OLE;)}- 


The minimal deduction tree for (A;,B;) has size s; > |Cj|+ 1; by induction 
hypothesis. Claims [2] to [4] below highlight a series of properties on the sets Cj 
and Nj; from which we derive s > |C| + 1. 


Claim 2. For every j € [1,q], if Cj UN; # Ø then the rule applied to (A;, B;) 
in 7 is either FUTURE or GLOBALLY. 


As already said, the rule applied to (A;,B,;) is among the rules ATOMIC, 
FUTURE and GLOBALLY. Then, showing that a[0] = b[0] for every (a,b) € CjUN; 
excludes the rule ATOMIC. 


Claim 3. For every j € [1,q], |N;| < 1. 


The proof of this claim is by contradiction, assuming the existence of dis- 
tinct (a1, b1), (a2,b2) € Nj. In the proof, we analyse structural properties of the 
traces a1, a2, bı and b2, and consider several cases depending on such properties 
(for instance, one case split depends on whether a; E a2). In all these cases, we 
reach a contradiction with either (a1, b1) Æ (a2, be) or Claim [2| 


The claim follows as soon as one proves the following two statements: 
1. for every (a,b) € C there is j € [1,q] such that (a[€;), b[€);)) € C4 U Nj, 
2. for all distinct (a1, 61), (a2, b2) E€ C, we have (a,[¢), bi[¢)) F (ale), b2[)) for 
every L < a(n) (recall that €; < a(n), for every j € [1,q]). 
Item []is by induction on the size of T”. Similarly to Claim [8] the proof of Item [B] 
again requires to consider many cases, and uses properties of ~, E and E|_,,. 


Thanks to Claims [3] and [4] one can then prove s > |C| + 1, concluding the 
proof for the rules NEXT and WEAKNEXT: 


s>1+ Se 8; by definition of T and 7’ 
A Ley (Cae 1) by s; > |C;| +1 (induction hypothesis) 
> 1+ D5 1 (IC; UNG) by |N;| < 1 (Claim[3) 
> |C|+1 by |C] < £410; UN, | (Claim [4). 


e case: rule FUTURE. Let f € F4 be the future point used when applying 
this rule. Define C” := {(a',b') € Af x BS : a’ = b'}. The minimal deduction 
tree for (Af, BS) has size s — 1. By induction hypothesis, s — 1 > |C’| + 1, i.e., 
s > |C’| + 2. We divide the proof into two cases. 
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Case 1: for every a’ € Af, a’ Z E. By definition of ~, every (a,b) € C is 
such that a and b belong to the language Ø” - 7] - @%™ . X* for some u € N, 
and i € [l,m]. Since af Z E, we must have f(a) < u+1. Then, af ~ b[f(a)). 
Note that distinct (a,b) € C concern distinct 7 with i € [1,mJ], and therefore, 
together with b[f(a)) € B®, one concludes that |C’| > |C|; and so s > |C| + 2. 


Case 2: there is a’ € Af such that a’ C E. Let us denote with @ the element 
in Af such that & E a for every a € Af. The existence of such an element follows 
directly from the fact that a’ C € for some a! € Af. 

Let I C [1,m] be the subset of those indices i € [1,m] for which there is a 
pair (a’,b’) € C such that b = (@" - 7 - E|,,)[ri). Without loss of generality, 
suppose J = {1,...,q} for some q < m, and that Ti < T2 < --- < Tq; recall that 
all these types are pairwise distinct. By definition of ~, for every b’ € B there is 
at most one a’ € AS such that a’ ~ b', and therefore q = |C|. To conclude the 
proof it suffices to show |C’| > q— 1. We do so by establishing a series of claims. 
Recall that we are assuming |C| > 2, so in particular C and J are non-empty. 


Claim 5. There are u € N, p € Tg and ø € (22)* s.t. @=O"- p- BUM . o. 
Moreover, p < 7; for every i € I. 


The first statement of this claim is established from the definition of a. The 
second statement is proven by contradiction. In particular, assuming that there 
is ¿ € I such that 7; < p yields a contradiction with Claim [I] 

Below, we write u, p and o for the objects appearing in Claim [5] Note that, 
from 74 < --- < Tq, the second statement of Claim |5ļimplies p < T2 ++- < Tq. For 
i € [2,q], let (a4, b;) denote the pair in C such that b; = (Ø* - Ti- E|p,)[ri). 


a7 4a 
Claim 6. For each i € [2,q] there is £ € N such that a ~ bY with o! := bi [2). 
Moreover, every type in {72,...,7 }\ {Ti} appears in some position of b/’. 


This claim is proven using Claims [1] and [5] and properties of E|_,,. 

Since all types T2,...,Tq are pairwise distinct, from the second statement 
in Claim |6}we conclude that b? 4 b} for every two distinct i, j € I \ {ii}. Then, 
the first statement in Claim [6] entails |C] >q-1. 


e case: rule GLOBALLY. Let f € F4 be the future point used when applying 
this rule. The minimal deduction tree for (AS, Bf} has size s — 1. We define 
C’ := {(a',b') € AS x BÒ : a’ = b'}. By induction hypothesis, s — 1 > |C’| +1, 
i.e., s > |C’| + 2. To conclude the proof it suffices to show that |C’| > |C|—1 
(in fact, we prove |C’| > |C]). Let {(a1, 61), .-., (ajep jc) } = C. 


Claim 7. For every j € [1,|C]], bf is not a suffix of €. More precisely, given 
i € [1,m] such that bj = (@* -77-E|_,,)[ri), we have bf = Ø" - p: Ø%™ . ø, for 
some u € N, p € {7} U {Tr E Tp: 7 x Ti} and o € X*. 


See the similarities between this claim and Claim [1| The first statement is 
proven by contradiction, deriving an absurdum with the existence of 7. The 
second statement follows from the definition of €|_,,. 
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Starting from Claim |7| we conclude that (i) for every j # k e [1,|C|] 
bf # bf, and (ii) for every j € [1,|C|] there is 2 € N such that a;|[l) ~ bf. This 
directly implies |C’| > |C|. This concludes both the proof of the case GLOBALLY 
and the proof of the lemma. 


Together, Lemmas|[3]and [4] yield an exponential lower bound for all formulae 
of LTL[X, X, F, G] characterising Bn (Lemmaf), which in turn implies Theorem|1] 


Lemma 5. Let W, € LTL[X,X,F, G]. If Un = Dn then size(W,) > 2”. 


Proof. We define the sets A = {7-€:7 € Tg} and B = {7-€_,: T E€ To}. 
Observe that A C A C AS and B C B. Let C = {(a,b) € Ax B: aw Dd}. 
From the definition of ~, |C] = 2”. We apply Lemma [4] and conclude that the 
minimal deduction tree for (A, B} has size at least 2” (in fact, 2” + 1). Since 
AC A and B CB, the same holds for the minimal deduction tree for (A, B}. 
Then, the theorem follows from Corollary [2] and Lemma 3} 


While we do not prove it formally, we claim that Theorem [1] also holds for 
infinite traces. It is in fact quite simple to see this: all traces in A and B, have 
a suffix of the form Ø), Roughly speaking, these suitably long suffixes are 
added to make the far-end of the traces in A and B indistinguishable at the 
level of formulae, so that they cannot be used in deduction trees to separate 
A from B. Then, to prove Theorem [1] for infinite traces, it suffices to update 
the proof system to handle these structures and consider an infinite suffix Ø” 
instead. The proof of Lemma [4] goes through with no significant change. 

A second observation: traces in A and B are closed under taking arbitrary 
long prefixes of the form Øf. This feature is not used to prove Lemma | (see the 
definition of A and B in the proof). However, these prefixes play a role in the next 
section, when studying the succinctness of F(LTL[Y, Y,O,H]) on infinite traces. 


6 Theorem [2} a 2” lower bound for LTL[F] pastification 


In this section, we rely on Lemma [5]to prove Theorem 2] and Corollary 
Theorem [2] is proven by relying on a “future—past duality” between future 
and past fragments of LTL. Given a trace o € Xt we define the reverse of o, 
written o~, as the trace satisfying o` [i] = o[|o| — i] for every i € pos(a). The 
reverse of a language L C X*+ is defined as the language L7 := {07 : o € L}. 
Clearly, (£~)~ = £. Given a set of temporal operators S C {X, X, F, G}, we write 
S- for the set of temporal operators among {Y, Y, O, H} such that S~ contains Y 
(resp. Y; O; H) if and only if S contains X (resp. X; F; G). For finite traces, the 
following lemma, proves that if there is a family of languages (Ln )n>1 that can be 
compactly defined in F(LTL[O]) but explodes in LTL[X, X, F, G], then the family 
(Li )n>1 can be compactly defined in LTL[F] but explodes in F(LTL[Y, Y, O, H]). 


Lemma 6. Let L C Xt, S C {X,X,F,G}, and ọ be a formula in F(LTL|ST]). 
There is a formula w in F(LTL[S]) such that L(Y) = L(y)” and size(q) = size(y). 
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Theorem [2] follows by applying Lemma [6] on the family of formulae (®,)n>1 
defined in Section[3] and by relying on the exponential lower bounds of Lemma] 
The sequence of languages showing that LTL[F] can be exponentially more suc- 
cinct than F(LTL[Y, Y, O, HJ) is given by (L(@n)~)n>1- 

Next, we extend Theorem [2]to the case of infinite traces. As usual, let X“ be 
the set of all infinite traces over the finite alphabet X. We denote with L°(y) 
the language of y, when y is interpreted over infinite traces (we refer the reader 
to, e.g., [2] for the semantics of LTL on infinite traces). 


Lemma 7. The family of languages of infinite traces (L(®,)~ - XL” )n>1 is such 
that, for every n > 1, (i) there is a formula y of LTL|F] such that size(p i € O(n) 
and L” (p) = L(a) - X”, and (ii) for every formula w in F(LTL[Y, Y,O,H]), 
if L” (Y) = L(a) - LY” then size(w) > 2”. 


Item|(i)]in the lemma above follows by applying Lemma(6]and exploiting the fact 
that formulae y in LTL[F] satisfy L” (p) = L(y): X” and L(y) = L(y) - &* (cf. [B] 
Definition 5 and Lemma 5]). The proof of Item [(ii)] is instead quite subtle. One 
would like to use the hypothesis L” (Y) = £(@,)~ -” and that L(w) is a cosafety 
language to derive L(Y) = L(@,,)~ . However, note that nothing prevents L(Y) to 
be equal to £(@,,)~ - X, and as it stands we do not have bounds for characterising 
this language. We apply instead the following strategy. We consider the family of 
structures A’ := {a7 - Ø” :a E€ A} and B’ := {b7 - Ø” : b € B}. Note that A’ C 
L” (y) and B'NL” (Y) = Ø. Since y is of the form F(a) with a € LTL[Y, Y, O, H], 
we can, roughly speaking, study the effects of applying to A’ and B’ a variant of 
the rule FUTURE for infinite words and that does not “forget the past”, and then 
reverse all traces in the resulting sets (A’)/ and (B’)°. In this way, we obtain two 
sets of finite traces A C A and B C B (this is where the prefixes Øf discussed 
at the end of Section 5] play a role). We show that the hypotheses of Lemma [4] 
apply to A and a set B C B for which the set {(a,b) € Ax B : a ~ b} has size 
at least 2” — 1. By Corollary [2] we get that a, and thus y, is of size at least 2”. 

Terona] shows that Theorem [2| holds over infinite traces as well. Together 
with the 27%) upper bound for the pastification problem for LTL[X,F] into 
F(LTLIY, Y, O]) established] in [4], this entails Corollary [1] 


7 The automata method does not work for F(LTL[O}) 


In this section we show that the classical method introduced by Markey in [20] 
to prove “future against past” succinctness discrepancies in fragments of LTL 
cannot be used to prove the results in Section [5] namely that F(LTL[O]) can be 
exponentially more succinct than LTL[X, X,F,G]. Due to space constraints, we 
assume a basic familiarity with non-deterministic Büchi automata (NBAs) (and 
deterministic Büchi automata, DBAs), which are central tools in [20]. Moreover, 


6 To be more precise, in the authors only provide a 200?) upper bound for their 
algorithm. Their analysis can however be easily improved to 20™, 
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we work on LTL on infinite traces, as done in [20], and write y =,, y whenever 
L” (p) = L” (4). We write L” (A) for the language of an NBA A. 
Proposition[I]below summarises the method in [20], which is parametric on a 
fixed prefix IT of operators among X, F and G. Given two fragments F, F’ of LTL, 
with F” pure future, to apply the method one has to provide the two families of 
formulae (®,)n>1€F and (Pi, )n>1 E F”, as well as the family of minimal NBAs 
(An)n>1, Satisfying the hypotheses of Proposition [I [l In [O0], this is done for 
F = LTL and F” set as the pure future fragment of LTL, using the prefix IT = G. 


Proposition 1 (Markey’s method [20]). Let F,F’ be fragments of LTL, with 
F" pure future. Consider two families of formulae (Bn)n>1 EF, (f, ao EF’, 
and a family of minimal NBAs (An)n>1, such that 


size(An) € 22°™, size(G,) € poly(n), Bn =, P, L (SY) = LY (An). 
Then, size(®,) € gsize(Pn)°™ and F can be exponentially more succinct than F". 


The consequence size(®!,) € 28e(n)°™ obtained in Proposition [I] follows di- 
rectly from the fact that, from every pure future LTL formula y, one can build 
an NBA A of size 20(67°(%)) such that L” (A) = L” (4) 26]. Then, the hypotheses 
size(An) € 22°” and LY (IT(@!,)) = L” (An) imply size(#’,) € 22), 

To show that Proposition [1] 1) cannot be used to derive that F := F(LTL[O]) 
can be exponentially more succinct than F” := LTL[X, X, F, G], it suffices to show 
that no families (n)n>1 EF, (P )n>1 €F” and (An)n>1 achieve the hypothe- 
ses required by Proposition |1| [1] no matter the temporal prefix H. We do so by 
establishing that whenever size(®,,) € poly(n) and n =, Pi, the minimal de- 
terministic Biichi automaton for L“ (IT(@',)) has size in 20(°¥(™), Therefore, 
no family of minimal NBAs (A,,)n>1 such that size(A,) € 22° can also satisfy 
the hypothesis L” (I7(#’,)) = L“ (An). Here is the formal statement: 


Theorem 4. Let II be a prefix of k temporal operators among X, F and G. Let p 
be a formula of F(LTL[O]), and w be a formula of LTL[X,X,F,G], with y =, w. 
The minimal DBA for L°(IT()) is of size in (k +1) - 206e), 


The proof of this theorem is divided into three steps. 

As a first step, one shows that Y =,, Fw; which essentially follows from the 
fact that Y =. p with y € F(LTL[O]). Together with tautologies of LTL such as 
FGFy’ =,, GFw’, FXw’ =, XFw’ and GXw" =,, XGy', the equivalence Y =y Fw 
let us rearrange JZ into a prefix of the form either X/GF or X/F, for some j < k. 
Let us focus on the former (more challenging) case of IT = X/GF. 

The second step required for the proof is to bound the size of the minimal 
DBA A recognising L“ (Fy). Thanks to the equivalences y =, Y =~ Fv, such a 
DBA has size exponential in size(y) by the following lemma. 


Lemma 8. Let y in F(LTL[O]). There is a DBA for L°(y) of size 20 (Sizet), 


112 L. Geatti et al. 


Starting from A, the third and last step of the proof requires constructing 
a DBA for LY (XIGFw) of size in (j + 1) - 20e(%)), The treatment for the 
prefix XÍ is simple, so this step is mostly dedicated to constructing a DBA for 
L” (GFw). In the case of LTL, it is known that closing an NBA under the globally 
operator G might lead to a further exponential blow-up (in fact, this is one of the 
reasons Markey’s method is possible in the first place). However, because y is 
in F(LTL[O]), and it is thus a cosafety language (and so 4 is a cosafety language 
too), it turns out that the size of the minimal DBA for £L“ (GF4) is in O(size(A)). 


Lemma 9. Let w be in LTL, such that L” (Y) is a cosafety language. Let A be 
a DBA for L” (Fw). The minimal DBA for L°(GFw) has size in O(size(A)). 


Thanks to Lemma [9} the proof of Theorem |4| can be easily completed. To 
prove this lemma, one modifies A by redirecting all transitions exiting a final 
state so that they mimic the transitions exiting the initial state of the automaton. 
The reason why the obtained automaton recognises £LY(GFw) uses in a crucial 
way the fact that Yy and Fw are cosafety languages. 


8 Related and Future Work 


The proof systems we use in this work to establish Theorem[2|and Theorem|[I]are 
strongly related to recent work in two seemingly disconnected areas of computer 
science: (i) combinatorial games for formulae lower bounds of first-order logics 
and (ii) learning of LTL formulae in explainable planning and program synthesis. 


Combinatorial games. We have already discussed the connections between our 
proof system and the CTLt games by Adler and Immerman [I]. Recently, Fagin 
and coauthors [Q0] have looked at combinatorial games that allow to count the 
number of quantifiers required to express a property in first-order logic. While 
these games simplify Adler-Immerman games, they come with a drawback: by 
design, they implicitly look at how to express properties with first-order for- 
mulae in prenex normal form, and they are not able to give any bound on the 
quantifier-free part of such formulae. It seems then not possible to use these 
types of games in the context of LTL. One could in principle consider transla- 
tions of LTL formulas into a prenex fragment of S1S. However, since S1S is both 
more expressive and more succinct than LTL [25], concluding that LTL[F] can 
be exponentially more succinct than F(LTL[Y,Y,O,H]) will ultimately require 
analysing structural properties of the quantifier-free part of the S1S formulae. 
Closer to the case of LTL are the games on linear orders (implicitly) used 
by Grohe and Schweikartdt in [14]. These are formula-size games for a fixed 
number of variables of first-order logic. Using our notation, the method used to 
derive lower bounds in [14] relies on defining a function w from terms of the 
form (A,B) to N that acts as a sub-additive measure with respect to the rules 
of the proof system. For instance, according to the rule OR, w should satisfy 
w( (A, B)) < w((Ai, B)) + w( (A2, B)), whenever A = A; W Ag. One can use a 
sub-additive measure w to conclude that the minimal deduction tree for (A, B), if 
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it exists, has size at least w( (A, B)). When restricted to the objects in Lemma ff] 
one can show that the function w((A, B}) = |{(a,b) €E Ax B:aœb}y|+1 is 
a sub-additive measure with respect to the rules ATOMIC, OR, AND, FUTURE 
and GLOBALLY (this is implicit in the proof of Lemma (4). However, it is not 
a sub-additive measure for the rules NEXT and WEAKNEXT: as stressed in the 
proof, we might have w((A*, B*)) = 1 even for w((A, B)) arbitrary large. This 
partially explains why the proof of Lemma [4] turned out to be quite involved. 
In view of the optimality of the algorithm in [4] (Corollary [1}, the main open 
problem regarding pastification is the optimality of the triply-exponential time 
procedure given in [7] for the pastification of LTL[X, U] into F(pLTL). As far as we 
are aware, no super-polynomial lower bound for this problem is known. Our proof 
system, properly extended with rules for the until and release operators, might 
be able to tackle this issue. Obtaining a matching triply-exponential lower bound 
might however be impossible: when restricted to propositional logic, our proof 
system is equivalent to the communication games introduced by Karchmer and 
Wigderson [15]. It is well-known that these games cannot prove super-quadratic 
lower bounds for formulae sizes, and one should expect similar limitations for 
temporal logics, albeit with respect to some function that is at least exponential. 


LTL formulae learning. Motivated by the practical issue of understanding a 
complex system starting from its execution traces, several recent works study 
the algorithmic problem of finding an LTL formula separating two finite sets of 
traces, see e.g. [21J5/24]11]12). In light of Theorem [3] this problem is equivalent 
to finding a proof in (possibly variations of) our combinatorial proof system. 
We believe that this simple observation will turn out to be quite fruitful for 
both the “combinatorial games” and the “formula learning” communities. From 
our experience, tools such as the one developed in [2IJ5]24] are quite useful 
when studying combinatorial lower bounds, as they can be used to empirically 
test whether families of structures are difficult to separate, before attempting a 
formal proof. In our case, we have used the tool in while searching for the 
structures and formulae we ended up using in Section [5] and discarded several 
other candidates thanks to the evidences the tool gave us. On the other side of 
the coin, combinatorial proof systems can be seen as a common foundational 
framework for all these formulae-learning procedures. With this in mind, we 
believe that the techniques developed for proving lower bounds in works such 
as might be of help for improving these procedures, for example using the 
minimization of a sub-additive measure as a heuristic. 
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Abstract. Modern SAT or QBF solvers are expected to produce cor- 
rectness certificates. However, certificates have worst-case exponential 
size (unless NP = coNP), and at recent SAT competitions the largest 
certificates of unsatisfiability are starting to reach terabyte size. 
Recently, Couillard, Czerner, Esparza, and Majumdar have suggested 
to replace certificates with interactive proof systems based on the IP = 
PSPACE theorem. They have presented an interactive protocol between 
a prover and a verifier for an extension of QBF. The overall running 
time of the protocol is linear in the time needed by a standard BDD- 
based algorithm, and the time invested by the verifier is polynomial in 
the size of the formula. (So, in particular, the verifier never has to read 
or process exponentially long certificates). We call such an interactive 
protocol competitive with the BDD algorithm for solving QBF. 

While BDD-algorithms are state-of-the-art for certain classes of QBF 
instances, no modern (UN)SAT solver is based on BDDs. For this reason, 
we initiate the study of interactive certification for more practical SAT 
algorithms. In particular, we address the question whether interactive 
protocols can be competitive with some variant of resolution. We present 
two contributions. First, we prove a theorem that reduces the problem of 
finding competitive interactive protocols to finding an arithmetisation of 
formulas satisfying certain commutativity properties. (Arithmetisation 
is the fundamental technique underlying the IP = PSPACE theorem.) 
Then, we apply the theorem to give the first interactive protocol for the 
Davis-Putnam resolution procedure. 


1 Introduction 


Automated reasoning tools should provide evidence of their correct behaviour. A 
substantial amount of research has gone into proof-producing automated reason- 
ing tools [12] 7/16]10]3]. These works define a notion of “correctness certificate” 
and adapt the reasoning engine to produce independently checkable certificates. 
For example, SAT solvers produce either a satisfying assignment or a proof of 
unsatisfiability in some proof system, e.g. resolution (see [12] for a survey). 

Current tools may produce certificates for UNSAT with hundreds of GiB or 
even, in extreme cases, hundreds of TiB [13]. This makes checking the certificate, 
or even sending it to a verifier, computationally expensive. Despite much progress 
on reducing the size of proofs and improving the efficiency of checking proofs (see 
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e.g. [LIJ12]), this problem is of fundamental nature: unless NP = coNP, which 
is considered very unlikely, certificates for UNSAT have worst-case exponential 
size in the size of the formula. 

The IP = PSPACE theorem, proved in 1992 by Shamir [18], presents a possible 
fundamental solution to this problem: interactive proofq'| A language is in IP if 
there exists a sound and complete interactive proof protocol between two agents, 
Prover and Verifier, that Verifier can execute in randomised polynomial time 
[7[2{15]1]}. Completeness means that, for any input in the language, an honest 
prover that truthfully follows the protocol will convince Verifier to accept the 
input. Soundness means that, for any input not in the language, Verifier will 
reject it with high probability, no matter how Prover behaves. “Conventional” 
certification is the special case of interactive proof in which Prover sends Verifier 
only one message, the certificate, and Verifier is convinced with probability 1. 
The IP = PSPACE theorem implies the existence of interactive proof protocols 
for UNSAT in which Verifier only invests polynomial time in the size of the 
formula. In particular, Verifier must never check exponentially long certificates 
from Prover, as is the case for conventional certification protocols in which Prover 
generates a proof in the resolution, DRAT, or any other of the proof systems 
found in the literature, and Verifier checks each step of the proof. 

Despite its theoretical promise, the automated reasoning community has not 
yet developed tools for UNSAT or QBF with interactive proof protocols. In a 
recent paper |5], Couillard, Czerner, Esparza, and Majumdar venture a possible 
explanation. They argue that all interactive certification protocols described in 
the literature have been designed to prove asymptotic complexity results, for 
which it suffices to use honest provers that construct the full truth table of the 
formula. Such provers are incompatible with automated reasoning tools, which 
use more sophisticated data structures and heuristics. To remedy this, Couillard 
et al. propose to search for interactive proof protocols based on algorithms closer 
to those used in automatic reasoning tools. In [5], they consider the standard 
BDD-based algorithm for QBF and design an interactive proof protocol based 
on it. 

While BDDs are still considered interesting for QBF, the consensus is that 
they are not state-of-the-art for UNSAT due to their high memory consumption. 
In this paper we initiate the study of interactive certification for SAT-solving 
algorithms closer to the ones used in tools. For this, given an algorithm Alg and 
an interactive protocol P, both for UNSAT, we say that P is competitive for 
Alg if the ratio between the runtime of Prover in P and the runtime of Alg on 
inputs of length n is bounded by a polynomial in n. So, loosely speaking, if P is 
competitive with Alg, then one can add interactive verification to Alg with only 
polynomial overhead. The general question we address is: which algorithms for 
UNSAT have competitive interactive proof protocols? 

Our first contribution is a generic technique that, given an algorithm for UN- 
SAT satisfying certain conditions, constructs a competitive interactive protocol. 


1 In our context it would be more adequate to speak of interactive certification, but 
we use the standard terminology. 


118 P. Czerner, J. Esparza, V. Krasotin 


Let us be more precise. We consider algorithms for UNSAT that, given a formula 
yo, construct a sequence Yo, Y1, ---, Pk Of formulas such that y; is equisatisfiable 
to yi+1, and there is a polynomial algorithm that decides if wz is unsatisfiable. 
Our interactive protocols are based on the idea of encoding the formulas in this 
sequence as polynomials over a finite field in such a way that the truth value 
of the formula for a given assignment is determined by the value of the polyno- 
mial on that assignment. The encoding procedure is called arithmetisation. We 
introduce the notion of an arithmetisation compatible with a given algorithm. 
Loosely speaking, compatibility means that for each step Y; > Yi+1, there is an 
operation on polynomials mimicking the operation on formulas that transforms 
Yi into y;i41. We show that the problem of finding a competitive interactive pro- 
tocol for a given algorithm Alg for UNSAT reduces to finding an arithmetisation 
compatible with Alg. 

In our second contribution, we apply our technique to construct the first in- 
teractive protocol competitive with a simplified version of the well-known Davis- 
Putnam procedure (see e.g. section 2.9 of [9]). Our version fixes a total order 
on variables, resolves exhaustively with respect to the next variable, say x, and 
then “locks” all clauses containing x or ~z, ensuring that they are never resolved 
again w.r.t. any variable. We show that, while standard arithmetisations are 
not compatible with Davis-Putnam, a non-standard arithmetisation is. In our 
opinion, this is the main insight of our paper: in order to find interactive pro- 
tocols for sophisticated algorithms for UNSAT, one can very much profit from 
non-standard arithmetisations. 

The paper is structured as follows. Section 2]contains preliminaries. Section B] 
presents interactive proof systems and defines interactive proof systems compet- 
itive with a given algorithm. Section [4] defines our version of the Davis-Putnam 
procedure. Section [5] introduces arithmetisations, and defines arithmetisations 
compatible with a given algorithm. Section [6] presents an interactive proof sys- 
tem for Davis-Putnam. Section [7] contains conclusions. 


2 Preliminaries 


Multisets. A multiset over a set S is a mapping m: S — N. We also write 
multisets using set notation, for example we write {x, x,y} or {2-2,y}. Given 
two multisets mı and mg, we define mı @ mz as the multiset given by (mı ® 
mz)(s) = mı (s) + mo(s) for every s € S, and mı © mz as the multiset given by 
(mı © Mma)(s) = max{0,m1(s) — me(s)} for every s € S. 


Formulas, CNF, and resolution. A Boolean variable has the form x; where 
i = 1,2,3, .... Boolean formulas are defined inductively: true, false and variables 
are formulas; if y and y are formulas, then so are ay, y Vw, and pA wy. A 
literal is a variable or the negation of a variable. A formula y is in conjunctive 
normal form (CNF) if it is a conjunction of disjunctions of literals. We represent 
a formula in CNF as a multiset of clauses where a clause is a multiset of literals. 
For example, the formula (x V x V x V ~y) A z A z is represented by the multiset 


{{3x, =y}, 2{z}}- 
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Remark 1. Usually CNF formulas are represented as sets of clauses, which are 
defined as sets of literals. Algorithms that manipulate CNF formulas using the 
set representation are assumed to silently remove duplicate formulas or duplicate 
literals. In this paper, due to the requirements of interactive protocols, we need 
to make these steps explicit. In particular, we use multiset notation for clauses. 
For example, C(x) denotes the number of occurrences of x in C. 


We assume in the paper that formulas are in CNF. Abusing language, we use 
y to denote both a (CNF) formula and its multiset representation. 


Resolution. Resolution is a proof system for CNF formulas. Given a variable z, 
a clause C containing exactly one occurrence of x and a clause C” containing 
exactly one occurrence of 72, the resolvent of C and C” with respect to x is the 
clause Res,(C,C’) := (C 6 {x}) 6 (C’ 6 {7z}). 

For example, Res,({x, =y, z}, {3%, aw}) = {7y, z, aw}. It is easy to see that 
CAC’ and Res,(C,C’) are equisatisfiable. A resolution refutation for a formula 
y is a sequence of clauses ending in the empty clause whose elements are either 
clauses of y or resolvents of two previous clauses in the sequence. It is well known 
that y is unsatisfiable iff there exists a resolution refutation for it. There exist 
families of formulas, like the pigeonhole formulas, for which the length of the 
shortest resolution refutation grows exponentially in the size of the formula, see 


e.g. [BH]. 


Polynomials. Interactive protocols make extensive use of polynomials over a 
finite field F. Let X be a finite set of variables. We use 2, y, z,... for variables 
and p, pi, p2,--. for polynomials. We use the following operations on polynomials: 


— Sum, difference, and product, denoted pı + p2, pı — p2, Pı ` p2, and defined as 
usual. For example, (3xy — 27) + (2? + yz) = 3xy + yz and (x +y): (x — y) = 

r? — y?. 

= Partial evaluation. Denoted mz;—a] p, it returns the result of setting the vari- 
able x to the field element a in the polynomial p, e.g. Tz:=5)(3xy — 2) = 

15y — 27. 

A (partial) assignment is a (partial) mapping o : X — F. We write II, p 
for T[x1:-o(21)|+-"[zx:=o(ay)| P) Where £1, ..., £k are the variables for which ø is 
defined. Additionally, we call a (partial) assignment o binary if a(x) € {0,1} for 
each x € X. 

The following lemma is at the heart of all interactive proof protocols. Intu- 
itively, it states that if two polynomials are different, then they are different for 
almost every input. Therefore, by picking an input at random, one can check 
polynomial equality with high probability. 


Lemma 1 (Schwartz-Zippel Lemma). Let pı, p2 be distinct univariate poly- 
nomials over F of degree at most d > 0. Let r be selected uniformly at random 
from F. The probability that pi(r) = p2(r) holds is at most d/|F|. 


Proof. Since pı 4 p2, the polynomial p := pı — pə is not the zero polynomial and 
has degree at most d. Therefore p has at most d zeros, and so the probability of 
p(r) = 0 is at most d/|F|. 
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3 Interactive Proof Systems 


An interactive protocol is a sequence of interactions between two parties: Prover 
and Verifier. Prover has unbounded computational power, whereas Verifier is a 
randomised, polynomial-time algorithm. Initially, the parties share an input x 
that Prover claims belongs to a given language L (e.g. UNSAT). The parties 
alternate in sending messages to each other according to a protocol. Intuitively, 
Verifier repeatedly asks Prover to send informations. At the end of the protocol, 
Verifier accepts or rejects the input. 

Formally, let V,P denote (randomised) online algorithms, i.e. given a se- 


quence of inputs mj ,mz,... E {0,1}* they compute a sequence of outputs, 
e.g. V(m1), V (mı, m2),.... We say that (m1, ...,M2x) is a k-round interaction, 
with Mi, ... Mog E {0,1}*, if Mmi = V(m,...,m;) for odd i and my. = 
P(mı,..., mi) for even i. 


The output outy, p(x) is Mog, where (M1, ..., Mop) is a k-round interaction 
with mı = x. We also define the Verifier-time vtimey, p (x) as the expected time 
it takes V to compute M2, ma, ..., M2k for any k-round interaction (mj, ..., Max) 
with mı = x. We define the Prover-time ptimey, p (£) analogously. 

Let L be a language and p : N > N a polynomial. A tuple (V, Py, p) 
is an interactive protocol for L if for each x € {0,1}* of length n we have 
vtimey, Py ,p(n) (©) E€ O(poly n) and: 


1. (Completeness) x € L implies outy py »(n)(@) = 1 with probability 1, and 
2. (Soundness) x ¢ L implies that for all P we have outy p p(n) (£) = 1 with 
probability at most 27”. 


The completeness property ensures that if the input belongs to the language 
L, then there is an “honest” Prover Py who can always convince Verifier that 
indeed x € L. If the input does not belong to the language, then the soundness 
property ensures that Verifier rejects the input with high probability no matter 
how a (dishonest) Prover tries to convince it. 

IP is the class of languages for which there exists an interactive protocol. It 
is known that IP = PSPACE [15/18], that is, every language in PSPACE has a 
polynomial-round interactive protocol. The proof exhibits an interactive protocol 
for the language QBF of true quantified boolean formulas; in particular, the 
honest Prover is a polynomial-space, exponential-time algorithm. 


3.1 Competitive Interactive Protocols 


In an interactive protocol there are no restrictions on the running time of Prover. 
The existence of an interactive protocol for some coNP-complete problem in 
which Prover runs in polynomial time would imply e.g. NP C BPP. Since this 
is widely believed to be false, Provers are allowed to run in exponential time, as 
in the proofs of [[5[18]. However, while all known approaches for UNSAT use 
exponential time in the worst case, some perform much better in practice than 
others. For example, the Provers of [15/18] run in exponential time in the best 
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case. This motivates our next definition: instead of stating that Prover must 
always be efficient, we say that it must have a bounded overhead compared to 
some given algorithm Alg. 

Formally, let L C {0,1}* be a language, let Alg be an algorithm for L, and let 
(V, Pu, p) be an interactive protocol for L. We say that (V, Py, p) is competitive 
with Alg if for every input x € {0,1}* of length n we have ptimey p, p(n) (£) € 
O(poly(n)T(«)), where T(x) is the time it takes Alg to run on input z. 

Recently, Couillard, Czerner, Esparza and Majumdar [5] have constructed 
an interactive protocol for QBF that is competitive with BDDSOLVER, the 
straightforward BDD-based algorithm that constructs a BDD for the satisfy- 
ing assignments of each subformula, starting at the leaves of the syntax tree 
and progressively moving up. In this paper, we will investigate UNSAT and 
give an interactive protocol that is competitive with DAVISPUTNAM, a decision 
procedure for UNSAT based on a restricted version of resolution. 


4 The Davis-Putnam Resolution Procedure 


We introduce the variant of resolution for which we later construct a competitive 
interactive protocol. It is a version of the Davis-Putnam procedure Recall 
that in our setting, clauses are multisets, and given a clause C and a literal l, 
C (l) denotes the number of occurrences of l in C. 


Definition 1. Let x be a variable. Full xz-resolution is the procedure that takes 
as input a formula ọ satisfying C(x)+C (=x) < 1 for every clause C, and returns 
the formula R,(y) computed as follows: 


1. For every pair C1, C2 of clauses of p such that x E€ Cı and nz € C2, add to 
yp the resolvent w.r.t. x of Cy and C (i.e. set y := p ® Res, (C1, C2)). 
2. Remove all clauses containing x or =z. 


Full z-cleanup is the procedure that takes as input a formula ọ satisfying C(x) + 
C(7a) < 2 for every clause C, and returns the formula Cz(p) computed as 
follows: 


1. Remove from ọ all clauses containing both x and nz. 
2. Remove from each remaining clause all duplicates of x or =z. 


The Davis-Putnam resolution procedure is the algorithm for UNSAT that, given 
a total order xı < z2 < :-- < £n on the variables of an input formula p, executes 
Algorithm [i] The algorithm assumes that p is a set of sets of literals, that is, 
clauses contain no duplicate literals, and p contains no duplicate clauses. We let 
denote the empty clause. 


2 In Harrison’s book [9], the Davis-Putnam procedure consists of three rules. The 
version in Definition |1| uses only Rule III, which is sometimes called the Davis- 
Putnam resolution procedure. Unfortunately, at the time of writing this paper, the 
Wikipedia article for the Davis-Putnam algorithm uses a different terminology (even 
though it cites [9]): it calls the three-rule procedure the Davis-Putnam algorithm, 
and the algorithm consisting only of Rule III the Davis-Putnam procedure. 
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Algorithm 1 DavIsPUTNAM(y) 


for i = 1,...,n do 


p := Rz, (9) 
for j =i+1,...,n do 
p := Cz, (p) 


if O € y then 

return “unsatisfiable” 
else 

return “satisfiable” 


Step Formula Arithmetisation 
Inp. p= {{x, y}, {x, Ws =z}, {72, =z}, B p) = (1 a)(1 y) ag (1 a)yrz? + a 
{-2, =y, =z}, {y, z} {79:2} toys + (1— y)(1 = z) yd 2) 
Re pı = {{y, z}, fy, Y, z} { Y, 1%, z} B Pi) = (1 y)z? (1 yy? z? t yee 
{-y, 72, 79, 72}, {y, zh Cy, 2} +yz? + (1 —y)(1—2)+y°(1—2) 
Cy p2 = {{y, Zz}, 2 E { Y, 2, z}, B p= (1 = y)z T 2y°2° 
{y,z}, {u 2}} pws) 2) 
Cz 93 = {{y, Zz}, 2 Ë { Y, z} B p3) = (1 = y)z? n 2y? z" ; 
{vzh {u z} hale) +y’ (L—2) 
Ry pa = {2+ {7z nz}, 3- {72, z}, {z, z}} B(ya) = 228 +32°(1-z) + (1-2)? 
Cz ps = {2- {72}, {zh} B(ps) = 22° + (1 — z) 
Rz- p6 = {2-0} Byes) = 


Table 1. Run of DavISsPUTNAM on an input y, and arithmetisation of the intermediate 


formulas. 


Observe that while the initial formula contains no duplicate clauses, the algo- 
rithm may create them, and they are not removed. 


Example 1. Table [1] shows on the left a run of DAVISPUTNAM on a formula y 
with three variables and six clauses. The right column is explained in Section 


6.1] 


It is well-known that the Davis-Putnam resolution procedure is complete, 
but we give a proof suitable for our purposes. Let |x := true] denote the 
result of replacing all occurrences of x in y by true and all occurrences of 7x 


by false. Define y[x := false] reversely. Further, let 3 


pla := true] V y|ax := false]. We have: 


xy be an abbreviation of 


Lemma 2. Let x be a variable and p a formula in CNF such that C(x) + 


C(A2) < 1 for every clause C. Then Rz(y) 


= dry. 


Proof. Let C1, ...,Cp be the clauses of y. We have 


Jro = pix := true] V yx := false] 
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( VAN Cile := true]) v ( \ CO; [2 := false]) 


ic[k] jelk] 


\ (Cile := true] V C;[x := false]) 


i jelk] 

= \ Ci A \ (Cile := true] V Cj[x := false]) 
i€[k], x, nrc; i,j €[k] ,7xE€C;,xEC; 

= R,(y). 


For the second-to-last equivalence, consider a clause C; containing neither x nor 
az. Then C; V C; is a clause of A; jej] (Cile := true] V C;[x := false]), and 
it subsumes any other clause of the form C; V Cj. The first conjunct of the 
penultimate line contains these clauses. Furthermore, if C; contains x or if C} 
contains =z, then the disjunction C;[x := true] V Cj[x := false] is a tautology 
and can thus be ignored. It remains to consider the pairs (C;,C;) of clauses such 
that =x € C; and x € C}. This is the second conjunct. 


Lemma 3. Let x be a variable and p a formula in CNF such that C(x) + 
C(7a) < 2 for every clause C. Then Clp) = ọ. 


Proof. Since x V =a = true, a clause containing both x and ~x is valid and 
thus can be removed. Furthermore, duplicates of x in a clause can be removed 
because 7 V x =z. 


Theorem 1. DAVISPUTNAM is sound and complete. 


Proof. Let y be a formula over the variables 71, ..., £n. By Lemmas[2]and B] after 
termination the algorithm arrives at a formula without variables equivalent to 
dx, ---da,y. This final formula is equivalent to the truth value of whether p 
is satisfiable; that is, y is unsatisfiable iff the final formula contains the empty 
clause. 


5 Constructing Competitive Interactive Protocols for 
UNSAT 


We consider algorithms for UNSAT that, given a formula, execute a sequence of 
macrosteps. Throughout this section, we use DAVISPUTNAM as running example. 


Definition 2. A macrostep is a partial mapping M that transforms a formula 
y into a formula M(p) equisatisfiable to vy. 


The first macrostep is applied to the input formula. The algorithm accepts 
if the formula returned by the last macrostep is equivalent to false. Clearly, all 
these algorithms are sound. 
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Example 2. The macrosteps of DAVISPUTNAM are R, and C, for each vari- 
able x. On a formula with n variables, DAVISPUTNAM executes exactly nati) 


2 
macrosteps. 


We present an abstract design framework to obtain competitive interactive 
protocols for these macrostep-based algorithms. As in [5855], the framework is 
based on arithmetisation of formulas. Arithmetisations are mappings that assign 
to a formula a polynomial with integer coefficients. In protocols, Verifier asks 
Prover to return the result of evaluating polynomials obtained by arithmetising 
formulas not over the integers, but over a prime field F,, where q is a sufficiently 
large prime. An arithmetisation is useful for the design of protocols if the value 
of the polynomial on a binary input, that is, an assignment that assigns 0 or 1 
to every variable, determines the truth value of the formula under the assign- 
ment. We are interested in the following class of arithmetisations, just called 
arithmetisations for brevity: 


Definition 3. Let F and P denote the sets of formulas and polynomials over a 
set of variables. An arithmetisation is a mapping A: F > P such that for every 
formula p and every assignment o to its variables: 


(a) o satisfies y iff Is Alp) = of] and 
(b) T1,A(y) (mod q) can be computed in time O(|p|polylog q) for any prime q. 


In particular, two formulas y, w over the same set of variables are equivalent 
if and only if for every binary assignment o, I,A(y) and II,A(q) are either 
both zero or both nonzero. 


Example 3. Let A be the mapping inductively defined as follows: 


A(true):=0 A(-2):=2 A(yi A p2) := A(y1) + A(y2) 
A(false):=1 A(a):=1—2 A(yi V p2) := Alvi): Alp2). 
For example, A((x V false) A ax)) = ((1 — «)-1) +a = 1. It is easy to see 
that A is an arithmetisation in the sense of Definition [3] Notice that A can 


map equivalent formulas to different polynomials. For example, A(=xr) = x and 
A(x Anr) = 2a. 


We define when an arithmetisation A is compatible with a macrostep M. 


Definition 4. Let A: F —> P be an arithmetisation and let M: F > F be a 
macrostep. A is compatible with M if there exists a partial mapping Pm : P > P 
and a pivot variable x € X satisfying the following conditions: 


(a) Pm simulates M: For every formula p where M(y) is defined, we have 
A(M()) = Pu (A(y))- 


3 In most papers one requires that ø satisfies ọ iff II, A(y) = 1. Because of our later 
choice of arithmetisations, we prefer II,A(y) = 0. 
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(b) Pm commutes with partial evaluations: For every polynomial p and every 
assignment a: X \ {x} > Z: Ho(Pm(p)) = Pm (He(p)). 
(c) Pu(p (mod q)) = Pu(p) (mod q) for any prime q. 
(d) Pm can be computed in polynomial time. 


An arithmetisation A is compatible with Alg if it is compatible with every 
macrostep executed by Alg. 


Graphically, an arithmetisation A is compatible with M if there exists a 
mapping Pm such that the following diagram commutes: 


E A = Il, o mod q, E 
Ja [eu [Pw |e M 
š A A Il, E mod a, X 


We can now state and prove the main theorem of this section. 


Theorem 2. Let Alg be an algorithm for UNSAT and let A be an arithmetisa- 
tion compatible with Alg such that for every input p 


(a) Alg executes a sequence of k € O(poly|y|) macrosteps, which compute a 


sequence Yo, Y1, -Pk Of formulas with po = y, 


(b) Alpi) has maximum degree at most d € O(polyly]|), for any i, and 


(c) Alpr) is a constant polynomial such that |A(pp)| < ae) 


Then there is an interactive protocol for UNSAT that is competitive with Alg. 


To prove Theorem [2| we first define a generic interactive protocol for UNSAT 
depending only on Alg and A, and then prove that it satisfies the properties of 
an interactive proof system: if y is unsatisfiable and Prover is honest, Verifier 
always accepts; and if ọ is satisfiable, then Verifier accepts with probability at 
most 27l?l, regardless of Prover. 


5.1 Interactive Protocol 


The interactive protocol for a given algorithm Alg operates on polynomials over a 
prime finite field, instead of the integers. Given a prime q, we write A,(p) := A(p) 
(mod q) for the polynomial over F, (the finite field with q elements) that one 
obtains by taking the coefficients of A(p) modulo q. 

At the start of the protocol, Prover sends Verifier a prime q, and then ex- 
changes messages with Verifier about the values of polynomials over F,, with the 
goal of convincing Verifier that A(y,) # 0 by showing A,(y,) # 0 instead. The 


4 We implicitly extend Py, to polynomials over F, in the obvious way: we consider 
the input p as a polynomial over Z by selecting the smallest representative in N for 
each coefficient, apply Pm, and then take the coefficients of the output polynomial 
modulo q. 


126 P. Czerner, J. Esparza, V. Krasotin 


following lemma demonstrates that this is both sound and complete; (a) shows 
that a dishonest Prover cannot cheat in this way, and (b) shows that an honest 
Prover can always convince Verifier. 


Lemma 4. Let pp be the last formula computed by Alg. 


(a) For every prime q, we have that Ag(¢r) #0 implies that y is unsatisfiable. 
(b) If p is unsatisfiable, then there exists a prime q s.t. Aq(yr) £ 0. 


Proof. For every prime q, if Ay(yx) Æ 0 then A(y,) 4 0. For the converse, pick 
any prime q larger than A(y,). 


We let Y = Yo, Y1, -Yp denote the sequence of formulas computed by Alg, 
and d the bound on the polynomials A(y;) of Theorem |2| Observe that the 
formulas in the sequence can be exponentially larger than y, and so Verifier 
cannot even read them. For this reason, during the protocol Verifier repeatedly 
sends Prover partial assignments ø chosen at random, and Prover sends back to 
Verifier claims about the formulas of the sequence of the form II,A,(yi) = w. 
The first claim is about yz, the second about yz,_;, and so on. Verifier stores 
the current claim by maintaining variables i, w, and ø. The protocol guarantees 
that the claim about y; reduces to the claim about y;_1, in the following sense: 
if a dishonest Prover makes a false claim about y; but a true claim about pi+1, 
Verifier detects with high probability that the claim about ¢; is false and rejects. 
Therefore, in order to make Verifier accept a satisfiable formula y, a dishonest 
Prover must keep making false claims, and in particular make a false last claim 
about Yo = y. The protocol also guarantees that a false claim about Yo is always 
detected by Verifier. 

The protocol is described in Table |2| It presents the steps of Verifier and an 
honest Prover. 


Example 4. In the next section we use the generic protocol of Table B]to give an 
interactive protocol for Alg := DAVISPUTNAM, using an arithmetisation called 
B. Table[3]shows a possible run of this protocol on the formula vy of Table [i] We 
can already explain the shape of the run, even if $ is not defined yet. 

Recall that on input y, DAVISPUTNAM executes six steps, shown on the left 
column of Table [I| that compute the formulas 41, ..., %6. Each row of Table 
corresponds to a round of the protocol. In round 7, Prover sends Verifier the 
polynomial p; corresponding to the claim Ho Aqg(p;:) (column Honest Prover). 


Verifier performs a check on the claim (line with Žž), If the check passes, Verifier 
updates o and sends it to Prover as the assignment to be used for the next claim. 


5.2 The interactive protocol is correct and competitive with Alg 


We need to show that the interactive protocol of Table 2] is correct and com- 
petitive with Alg. We do so by means of a sequence of lemmas. Lemmas 
bound the error probability of Verifier and the running time of both Prover and 
Verifier as a function of the prime q. Lemma [9] shows that Prover can efficiently 
compute a suitable prime. The last part of the section combines the lemmas to 
prove Theorem [2] 
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1. Prover picks an appropriate prime q; i.e. a prime s.t. Ag(y,) 4 0, where pk 
is the last formula computed by Alg. (The algorithm to compute q is given 
later.) 


2. Prover sends both q and A,(yx) to Verifier. If Prover sends A,g(yx) = 0, 
Verifier rejects. 


3. Verifier sets i := k, w := Aq (pp) (sent by Prover in the previous step), and ø to 
an arbitrary assignment. (Since initially A(x) is a constant, ø is irrelevant.) 


4. For each i=k,...,1, the claim about y; is reduced to a claim about y;-1: 


4.1 Let x denote the pivot variable of M; and set o’ to the partial assign- 
ment that is undefined on x and otherwise matches o. Prover sends the 
polynomial p := I, A_(yi-1), which is a univariate polynomial in x. 


4.2 If the degree of p exceeds d or Tir:=0(x) Pm; (p) # w, Verifier rejects. 
Otherwise, Verifier chooses an r € Fy uniformly at random and updates 
W := Tjs:=r]p and g(x) := r. 


5. Finally, Verifier checks the claim I-A q(yo) = w by itself and rejects if it does 
not hold. Otherwise, Verifier accepts. 


Table 2. An interactive protocol for an algorithm for UNSAT describing the behaviour 
of Verifier and the honest Prover. 


Completeness. We start by establishing that an honest Prover can always 
convince Verifier. 


Lemma 5. If p is unsatisfiable and Prover is honest (i.e. acts as described in 


Table g. then Verifier accepts with probability 1. 


Proof. We show that Verifier accepts. First we show that Verifier does not reject 
in step 2, i.e. that A,(y,) Æ 0. Since ọ is unsatisfiable by assumption, by Defini- 
tion | we have that px is unsatisfiable. Then, Definition Be) implies Ag (pk) #0 
(note that A,(yx) is constant, by Theorem [2{c)). 

Let us now argue that the claim Verifier tracks (i.e., the claim given by the 
current values of the variables) is always true. In step 3, it is initialised with 
w := Aq(~x), so the claim is true at that point. 


In each step 4.2, Verifier checks tz:—¢(2)| Pu; (p) = w. As Prover is honest, 
it sent p := II,,A,(yi-1) in the previous step; so the check is equivalent to 


w = Te:=0(2)) Pu; Ho Ag(Pi-1)) (Definition [A{b)) 
= II, Pm; (Aq(¥i-1)) (Definition [4{a,c)) 
= Ho Ag (Milpi-1)) = Ho Aq (vi) 


By induction hypothesis w = II,A,(y;) holds, and thus Verifier does not reject. 
When Verifier updates the claim, it selects a random number r. Due to p = 
II, Aq(yi-1), the new claim will hold for all possible values of r. 
In step 5, we still have the invariant that the claim is true, so Verifier will 
accept. 
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Probability of error. Establishing soundness is more involved. The key idea 
of the proof (which is the same idea as for other interactive protocols) is that for 
Verifier to accept erroneously, the claim it tracks must at some point be true. 
However, initially the claim is false. It thus suffices to show that each step of the 
algorithm is unlikely to turn a false claim into a true one. 


Lemma 6. Let A,d,k as in Theorem|Q| If p is satisfiable, then for any Prover, 
honest or not, Verifier accepts with probability at most dk/q € O(poly(|y]|)/q). 


Proof. Let i € {k,...,1}, let o,w denote the values of these variables at the 
beginning of step 4.1 in iteration i, and let o’,w’ denote the corresponding 
(updated) values at the end of step 4.2. 

We say that Prover tricks Verifier at iteration i if the claim tracked by Verifier 
was false at the beginning of step 4 and is true at the end, i.e. H,A,(yi) A w 
and Tl, Aqg(Yi-1) =w. 

The remainder of the proof is split into three parts. 


(a) If Verifier accepts, it was tricked. 
(b) For any i, Verifier is tricked at iteration i with probability at most d/q. 
(c) Verifier is tricked with probability at most dk/q € O(poly(|y|)/q). 


Part (a). If y is satisfiable, then so is yy (Definition|2), and thus II,Aq(yx) = 0 
(Definition [3{a); also note that Il,A,(yx) is constant). Therefore, in step 2 
Prover either claims II,A,(y.) = 0 and Verifier rejects, or the initial claim in 
step 3 is false. 

If Verifier is never tricked, the claim remains false until step 5 is executed, 
at which point Verifier will reject. So to accept, Verifier must be tricked. 


Part (b). Let i € {k,...,1} and assume that the claim is false at the beginning 
of iteration i of step 4. Now there are two cases. If Prover sends the polynomial 
p = II,,Aq(yi-1), then, as argued in the proof of Lemma f] Verifier’s check 


is equivalent to w es IIl,Aq(y:), which is the current claim. However, we have 
assumed that the claim is false, so Verifier would reject. Hence, Prover must send 
a polynomial p # Io’ Aq(pi—1) (of degree at most d) to trick Verifier. 

By Lemma the probability that Verifier selects an r with mz:-,)p = 
Tir:=r] Ho Aqg(Pi-1) is at most d/q. Conversely, with probability at least 1 — d/q, 
the new claim is false as well and Verifier is not tricked in this iteration. 

Part (c). We have shown that the probability that Verifier is tricked in one 


iteration is at most d/q. By union bound, Verifier is thus tricked with probability 
at most dk/q, as there are k iterations. By conditions [(a)|and [(b)]of Theorem [| 


we get dk/q € O(poly(|¢|)/q). 


Running time of Verifier. The next lemma estimates Verifier’s running time 
in terms of |y| and q. 


Lemma 7. Verifier runs in time O(poly(|y| log q)). 
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Proof. Verifier performs operations on polynomials of degree at most d with 
coefficients in Fy. So a polynomial can be represented using dlogq bits, and 
arithmetic operations are polynomial in that representation. Additionally, Veri- 
fier needs to execute Pm, for each i, which can also be done in polynomial time 
(Definition [4c)). There are k € O(poly|y]) iterations. 

Finally, Verifier checks the claim Il,A,(y) = w for some assignment o and 
w € Fy. Definition [3] ensures that this takes O(|y| polylog q) time. The overall 
running time is therefore in O(poly(|y|dlogq)). The final result follows from 


condition of Theorem 


Running time of Prover. We give a bound on the running time of Prover, 
excluding the time needed to compute the prime q. 


Lemma 8. Assume that A is an arithmetisation satisfying the conditions of 
Theorem [2} Let T denote the time taken by Alg on y. The running time of 
Prover, excluding the time needed to compute the prime q, is O(T poly|y| log q)). 


Proof. After picking the prime q, Prover has to compute I,A,(y;) for different 
i € [k] and assignments ø. The conditions of Theorem [2| guarantee that this can 
be done in time O(|y;| polylog q) C O(|y;| poly (|p| log q)). We have 57, |yi| < T, 
as Alg needs to write each y; during its execution. The total running time follows 
by summing over i. 


Computing the prime q. The previous lemmas show the dependence of Ver- 
ifier’s probability of error and the running times of Prover and Verifier as a 
function of |y| and q. Our final lemma gives a procedure for Prover to compute 
a suitable prime q. Together with the previous lemmas, this will easily yield 
Theorem [2] 


Lemma 9. For every c > 0 there exists a procedure for Prover to find a prime 
q € 2") such that q > 2°?! and A lpk) £0 in expected time O(T|y|), where 
T is the running time of Alg. 


Proof. Assume wlog. that c > 1. Prover first runs Alg to compute pẹ and then 
chooses a prime q with 2°"! < q < 2¢¥I+! uniformly at random; thus q € 20021) 
is guaranteed. If Prover arrives at A,(y,) = 0, Prover chooses another prime q 
in the same way, until one is chosen s.t. Ag (px) Æ 0. 


Since |A(yx)| < 92! A(x) is divisible by at most 2!*! different primes. 
Using the prime number theorem, there are 92(2°?!/cly|) primes 2°"! < q < 
2clel+1 so the probability that the picked q divides A(y x) is O(cly|/2-Y¥!). 

Therefore, for any c > 1 this probability is at most, say, 1/2 for sufficiently 
large |y|. In expectation, Prover thus needs to test 2 primes q, and each test 
takes time O(|y;| polylog q) (see Definition [3[b)), which is in O(T|y]|). 
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Proof of Theorem We can now conclude the proof of the theorem. 


Completeness was already proved in Lemma [5] 


Soundness. We need to ensure that the error probability is at most 27|?!. By 
Lemma [6] the probability p of error satisfies p < dk/q, where dk € O(poly(|y]|)). 
So there is a € > 0 with dk < 25/*I. Using c := 1 + £ as constant for Lemma 
we are done. 


Verifier’s running time. By Lemma |7| Verifier runs in time O(poly(|y| log q)). 
Using the prime q € 20?!) of Lemma 9 the running time is O(poly(|y]). 
) 


Competitivity. By Lemma |8| Prover runs in time O(T poly(|y|logq)) plus the 
time need to compute the prime, which, by Lemma f] is in O(T poly(|y|)). Again 
using q € O(2!*!), we find that the protocol is competitive with Alg. 


6 An Interactive Proof System Competitive with the 
Davis-Putnam Resolution Procedure 


In order to give an interactive proof system for the Davis-Putnam resolution 
procedure, it suffices to find an arithmetisation which is compatible with the full 
z-resolution step R, and the full x-cleanup step C+ such that all properties of 
Theorem [2|are satisfied. In this section, we present such an arithmetisation. 


6.1 An arithmetisation compatible with Ry and C, 


We find an arithmetisation compatible with both Ry and Cz. Let us first see 
that the arithmetisation of Example [3] does not work. 


Example 5. The arithmetisation A of Example B]is not compatible with R,. To 
see this, let y = (na V ay) A (x V ~z) A aw. We have Rz(y) = (y V az) Anu, 
A(R:(y)) = ye + w, and A(y) = zy + (1 — z)z +w = ay-—z)4+24+u. 
If A were compatible with Ry, then there would exist an operation Pr, on 
polynomials such that Pr, (x(y — z) + z + w) = yz + w by Definition [4[a), and 
from Definition [4{b), we get Pr, (Holæly — z) + z + w)) = Ho(yz + w) for all 
partial assignments o : {y,z,w} > Z. For o := {y > 1,z > 0,w 4 1}, it 
follows that Pr, (x +1) = 1, but for ø := {y > 2, z œ> 1, w > 0}, it follows that 
Pr, (x +1) = 2, a contradiction. 


We thus present a non-standard arithmetisation. 


Definition 5. The arithmetisation B of a CNF formula ~ is the recursively 
defined polynomial 


B(true):=0 B(x):=1-x BiyiA ve) := B(yi) + B(y2) 
B(false):=1 B(>z):=23 = Bg V p2) := B(y1) - Bly). 
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Example 6. The right column of Table |1| shows the polynomials obtained by 
applying B to the formulas on the left. For example, we have B(ys) = B(7z A 
az A z) = 2B(az) + B(z) = 223 +1- z. 


We first prove that $ is indeed an arithmetisation. 


Proposition 1. For every formula p and every assignment o : X — {0,1} to 
the variables X of p, we have that o satisfies y iff II,B(y) = 0. 


Proof. We prove the statement by induction on the structure of y. The statement 
is trivially true for y € {true, false, x, >}. For py = v1 V p2, we have 


o satisfies y + o satisfies Y1 V po & o satisfies yı or g satisfies p2 


E 11,B(¢1) = 0 V 11, B(y2) = 0  0,B(¢1) -Io B(y2) = 0 
S II, B(y1 V p2) = 0 > I, B(y) = 0, 


and for y = pı A p2, we have 


o satisfies y + o satisfies y1 A y2 & o satisfies yı and ø satisfies ya 
 11,B(y1) = 0 ATI, B(y2) = 0 4 11, B(y1) + 1,B(y2) = 0 
S I,B(yi A v2) =0 S I, B(y) = 0. 


The equivalence II, B(y) = 0 A TL, 6(y2) = 0 © I, B(y1) + I, B(y2) = 0 holds 
because II, 8(y) cannot be negative for binary assignments o. 


B is compatible with Rs. We exhibit a mapping ys: P —> P satisfying the 
conditions of Definition [4] for the macrostep R,. Recall that R, is only defined 
for formulas y in CNF such that C(x) + C(72) < 1 for every clause C. Since 
arithmetisations of such formulas only have an x? term, an x term, and a constant 
term, it suffices to define 7, for polynomials of the form azz? + a,x + ao. 


Lemma 10. Let 7,: P > P be the partial mapping defined by Yx(a3x° + aix + 
ao) := —a3a1 +a, +a. The mapping yz witnesses that B is polynomially com- 
patible with the full resolution macrostep Ry. 


Proof. We show that yz satisfies all properties of Definition [4] Let y be a formula 
in CNF such that C(x) + C(-2) < 1 for every clause C (see Definition [1}. Then 
y is of the form 


where a;, bj are disjunctions not depending on x and c is a conjunction of clauses 


not depending on x. We have R2(~) = Miej], jep (i V b) ^c. Now 


Biy) = So a-ra 5° 3b; +e= Y bj- So at Slate 


i€[k] jell jell 1€ [k] i€[k] 
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and thus 
= P2102 Ss So at Sate 


i€[k] i€ [k] i€[k] 
= 5 aibj + c = B(R,(y)). 
i€[k], jell] 


This proves (a). Since y, does not depend on variables other than x, (b) is also 
given. (c) and (d) are trivial. 


B is compatible with C,. We exhibit a mapping 6,: P > P satisfying the 
conditions of Definition [4] for the cleanup macrostep Cx. Recall that Cy is only 
defined for formulas y in CNF such that C(x) + C(72) < 2 for every clause C. 
Arithmetisations of such formulas are polynomials of degree at most 6 in each 
variable, and so it suffices to define 6, for these polynomials. 


Lemma 11. Let 6,: P — P be the partial mapping defined by 
bz (agx® + asz” +++: +a 1x + a9) := (ag + G4 + a3)x* + (ag + a1)x + ao. 
The mapping 6, witnesses that B is polynomially compatible with Cz. 


Proof. We show that 6, satisfies all properties of Definition f] We start with (a). 
Since B(CAC’) = B(C)+B(C’) for clauses C, C’ and 6,(pi+p2) = 5x(p1)+6x(p2), 
it suffices to show that 6,(B(C)) = B(C,(C)) for all clauses C of p. Now let C 
be a clause of y. We assume that C(x) + C(Ax) < 2 (see Definition [Ip. 


— If C(x) + C(a2) < 1, then 6,(B(C)) = B(C) = B(C,(C)). 

— If C = xV zV C, then B(C) = (1 — x)?B(C') = (1 — 2x + 2”) B(C’), so 
6,B(C) = (1 — 22 + x)B(C") = (1 — 2) B(C’) = Bia v C") = B( Lale )). 
If C = nagz V 72 V OC’, then B(C) = x®B(C"), so 6,B(C) = «®B(C’) = 
B(7az V C’) = B(C;(C)). 

— If C=2V-2VC", then B(C) = (1 — 2)z°B(C’) = 23B(C’) — xz*B(C’), so 
6,3(C) = x°B(C") — z°B(C’) = 0 = B(C,(C)). 


This proves (a). Since 6, does not depend on variables other than x, (b) is also 
given. Parts (c) and (d) are trivial. 


As observed earlier, DAVISPUTNAM does not remove duplicate clauses; that 
is, Prover maintains a multiset of clauses that may contain multiple copies of a 
clause. We show that the number of copies is at most double-exponential in |]. 


Lemma 12. Let vy be the input formula, and let yy be the last formula computed 
by DAvISPUTNAM. Then Alfk) € 2290D. 


Proof. Let no(w) be the number of clauses in a formula w, let x be a variable. 
Then no(Cz(W)) < ne(w) because a cleanup step can only change or delete 
clauses. Moreover, no (Re(Y)) = NeNax — Ng — Naz + noly) where ng and naz 
are the numbers of clauses in y which contain x and ~g, respectively. We get 
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Round Honest Prover Verifier 
Initial | q := 15871 w := pe = 2 
pe := Ba(p6) = 2 o := {x > 3,y > 4,z > 3} 
send q, pe send o 
k=6]| 0 := {x> 3,y 4} T[2:=3) Y2 (P5) = W2:=3]2 29 
ps = Iy (B4(25)) o(z)i=4 
= 222-241 W := Tjz:=4]P5 = 125 
send ps send a 
k=5]| 0 := {x > 3,y 4} Tz:=4]z (pa) = Tj:=4]22? — z + 1 Ż 125 
pa := Har (Ba(04)) o(2):=2 
= 22° — 3244 323 +z 2z4+1 W := Tz:=2)pa = 105 
send pa send a 
k=4]o':= {a 3,2 2} Ty:=4] Vy (P3) = Ty:= 4105 = 105 
ps := I, ' (Ba (ys)) oly) = 2 
= 15? —Ty+7 W = Ty:=2)p3 = 113 
send p3 send a 
k=3]|' := {x> 3,y 2} TR z:=2)02(p2) = Mz.=9 1523 — 7z +7 = 113 
Pa = Mo (Bg (2) a(z):=3 
= 162- 2? -7z +7 W = Tjz:=3]/P2 = 11623 
send po send o 
k=2]| 0! := {x 3,242} T[y:=2]5y(P1) = My-=211456y* — 25y + 25 = 11623 
pi = TaBe) oy) :=1 
= 729y° — 27y* + 754° — 25y + 25 | w := Ty:=1)P1 = 1456 
send pı send o 
k=1]o':={y 1,24 2} T[e:=3)Yx (Po) = Tie:=311456 = 1456 
Po = Mor (Bg (y0)) a(x) = 2 
= 54a? — 27x + 25 W = Te:=2|Po = 493 
send po send o 
Final TI,.B,(y) = 493 


Table 3. Run of the instance of the interactive protocol of Table 22] for DAVISPUTNAM, 
using the arithmetisation B of Definition [5] 


no(Rz(b)) < (ne + nar)? — (mz + nar) + new). Since nz + n-as < nel), 


it follows that no(Rz(w)) < (ne(w))? 


. Now let n be the number of variables. 


Since x is reached after n resolution steps, it follows that B(pk) = nc(yx) < 


nole)” = 9200P) ; 


Proposition 2. There exists an interactive protocol for UNSAT that is compet- 


itive with DAVISPUTNAM. 


Proof. We show that the 8 satisfies all properties of Theorem |2| On an input 
formula y over n variables, DAVISPUTNAM executes n resolution steps Ry and 
n(n — 1)/2 cleanup steps C,, which gives n(n + 1)/2 macrosteps in total and 


proves (a). 


Since y does not contain any variable more than once per clause and since 
cleanup steps w.r.t. all remaining variables are applied after every resolution 
step, resolution steps can only increase the maximum degree of B(;) to at most 
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6 (from 3). Hence the maximum degree of B(y;) is at most 6 for any i, showing 
(b). 
Furthermore, since R,.(y;) does not contain any occurrence of x, and resolu- 
tion steps are performed w.r.t. all variables, Yx does not contain any variables, 
so Yp = {a - O} for some a € N where [O is the empty clause. Together with 
Lemma [12] (c) follows. 


Instantiating Theorem |2| with 6 yields an interactive protocol competitive 
with DAVISPUTNAM. Ted shows a run of this protocol on the formula y 
of Table |1| Initially, Prover runs DAVISPUTNAM on y, computing the formulas 
1,---; 6. Then, during the run of the protocol, it sends to Verifier polynomials 
of the form II,/B,(yi-1) for the assignments o’ chosen by Verifier. 


7 Conclusions 


We have presented the first technique for the systematic derivation of interactive 
proof systems competitive with a given algorithm for UNSAT. More precisely, 
we have shown that such systems can be automatically derived from arithmeti- 
sations satisfying a few commutativity properties. In particular, this result in- 
dicates that non-standard arithmetisations can be key to obtaining competitive 
interactive proof systems for practical algorithms. We have applied our technique 
to derive the first interactive proof system for the Davis-Putnam resolution pro- 
cedure, opening the door to interactive proof systems for less restrictive variants 
of resolution. 

Lovasz et al. have shown that given a refutation by the Davis-Putnam reso- 
lution procedure, one can extract a multi-valued decision diagram, polynomial 
in the size of the refutation, in which the path for a given truth assignment leads 
to a clause false under that assignment (that is, to a clause witnessing that the 
assignment does not satisfy the formula) [I4]. This suggests a possible connec- 
tion between our work and the work of Couillard et al. in [5]. As mentioned in 
the introduction, presents an interactive proof system competitive with the 
algorithm for UNSAT that iteratively constructs a BDD for the formula (start- 
ing at the leaves of its syntax tree, and moving up at each step), and returns 
“unsatisfiable” iff the BDD for the root of the tree only contains the node 0. 
We conjecture that a future version of our systematic derivation technique could 
subsume both [5] and this paper. 
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Abstract. We show that the guarded-negation fragment (GNFO) is, in 
a precise sense, the smallest extension of the guarded fragment (GFO) 
with Craig interpolation. In contrast, we show that the smallest extension 
of the two-variable fragment (FO?), and of the forward fragment (FF) 
with Craig interpolation, is full first-order logic. Similarly, we also show 
that all extensions of FO? and of the fluted fragment (FL) with Craig 
interpolation are undecidable. 


Keywords: Craig interpolation - Decidability - Abstract model theory. 


1 Introduction 


The study of decidable fragments of first-order logic (FO) is a topic with a long 
history, dating back to the early 1900s ([40)52], cf. also [16]), and more actively 
pursued since the 1990s. Inspired by Vardi [55], who asked “what makes modal 
logic so robustly decidable?” and Andreka et al. [I], who asked “what makes 
modal logic tick?” many decidable fragments have been introduced and studied 
over the last 25 years that take inspiration from modal logic (ML), which itself 
can be viewed as a fragment of FO that features a restricted form of quantifica- 
tion. These include the following fragments, each of which naturally generalizes 
modal logic in a different way: the two-variable fragment (FO?) [42], the guarded 
fragment (GFO) [I], and the unary negation fragment (UNFO) [22]. Further de- 
cidable extensions of these fragments were subsequently identified, including the 
two-variable fragment with counting quantifiers (C?) [29] and the guarded nega- 
tion fragment (GNFO) [4]. The latter can be viewed as a common generalization 
of GFO and UNFO. Many decidable logics used in computer science and AI, in- 
cluding various description logics and rule-based languages, can be translated 
into GNFO and/or C?. In this sense, GNFO and C? are convenient tools for 
explaining the decidability of other logics. Extensions of GNFO have been stud- 
ied that push the decidability frontier even further (for instance with fixed-point 
operators and using clique-guards), but these fall outside the scope of this paper. 

In an earlier line of investigation, Quine identified the decidable fluted frag- 
ment (FL) [5I], the first of several ordered logics which have been the subject of 
recent interest [47J48]49]50/44]. The idea behind ordered logics is to restrict the 
order in which variables are allowed to occur in atomic formulas and quantifiers. 
© The Author(s) 2024 
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Fig. 1. Landscape of decidable fragments of FO with (©) and without (®) CIP. 
The inclusion marked (*) holds only for sentences and self-guarded formulas. 


Another recently introduced decidable fragment that falls in this family is the 
forward fragment (FF), whose syntax strictly generalizes that of FL. Both FL 
and FF have the finite model property (FMP) [44] and embed ML [84], but are 
incomparable in expressive power to GFO [45], FO?, and UNFO.? 

Ideally, an FO-fragment is not only decidable, but also model-theoretically 
well behaved. A particularly important model-theoretic property of logics is the 
Craig Interpolation Property (CIP). It states that, for all formulas y, W, ify H Y, 
then there exists a formula J such that y = ð and ð = 4%, and such that all non- 
logical symbols occurring in 9 occur both in y and in 7. Craig [24] proved in 1957 
that FO itself has this property (hence the name). Several refinements of Craig’s 
result have subsequently been obtained (e.g., [Z3T0}). These have found applica- 
tions in various areas of computer science and AI, including formal verification, 
modular hard/software specification and automated deduction MIMS], and 
are emerging as a new prominent technology in databases [53/12] and knowledge 
representation [39]21J37]. While we have described CIP here as a model theoretic 
property, it also has a proof-theoretic interpretation. Indeed, it has been argued 
that CIP is an indicator for the existence of nice proof systems [82]. 

Turning our attention to the decidable fragments of FO we mentioned ear- 
lier, it turns out that, although GFO is in many ways model-theoretically well- 
behaved [i], it lacks CIP [33]. Likewise, FO? lacks CIP [23] and the same holds for 
C? ([35] Example 2] yields a counterexample). Both FF and FL lack CIP [Z]. On 
the other hand, UNFO and GNFO have CIP [223]. Figure |L|summarizes these 
known results. Note that we restrict attention to relational signatures without 
constant symbols and function symbols. Some of the_results depend on this re- 
striction. Other known results not reflected in Figure (to avoid clutter) are that 


3 Specifically, the FO-sentence Sry(R(x, y)AR(y, x)) belongs to GFO, FO? and UNFO, 
but is not expressible in FF, since the structure consisting of two points with symmet- 
ric edges and the structure (Z, S) with S the successor relation, are “infix bisimilar,” 
as described in [7]. 
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the intersection of GFO and FO? (also known as GFO?) has CIP [33]. Similarly, 
the intersection of FF with GFO and the intersection of FL with GFO (known 
as Grr and Gru, respectively) have CIP [7]. 

When a logic L lacks CIP, the question naturally arises as to whether there 
exists a more expressive logic L’ that has CIP. If such an L’ exists, then, in 
particular, interpolants for valid L-implications can be found in L’. This line 
of analysis is sometimes referred to as Repairing Interpolation [2]. If L’ is an 
FO-fragment, and our aim is to repair interpolation by extension, then there is 
a trivial solution: FO itself is an extension of L satisfying CIP. We will instead 
consider the following refinement of the question: can a natural extension L’ 
of L be identified which satisfies CIP while retaining decidability? We will an- 
swer this question for three of the fragments depicted in Figure [I] that lack CIP, 
by identifying the minimal natural extension L’ of L satisfying CIP. Our main 
results can be stated informally as follows: 


1. The smallest logic extending GFO that has CIP is GNFO. 

2. The smallest logic extending FO? that has CIP is FO, and no decidable 
extension of FO? has CIP. 

3. The smallest logic extending FF that has CIP is FO, and no decidable ex- 
tension of FL has CIP. 


The precise statements of these results will be given in the respective sections. 
They involve some natural closure assumptions on the logics in question, and, for 
the undecidability results, some assumptions regarding the effective computabil- 
ity of the translation between the extension and the logic that it extends. 

These results give us a clear sense of where, in the larger landscape of decid- 
able fragments of FO, we may find logics that enjoy CIP. What makes the above 
results remarkable is that, from the definition of the Craig interpolation property, 
it doesn’t appear to follow that a logic without CIP would have a unique minimal 
extension with CIP. Note that a valid implication may have many possible in- 
terpolants, and the Craig interpolation property merely requires the existence of 
one such interpolant. Nevertheless, the above results show that, in the case FO?, 
GFO, and FF, such a unique minimal extension indeed exists (assuming suitable 
closure properties, which will be spelled out in detail in the next sections). 


Related Work. Several other approaches have been proposed for dealing with 
logics that lack CIP. One approach is to weaken CIP. For example, it was shown 
in that GFO satisfies a weak, “modal” form of Craig interpolation, where, 
roughly speaking, only the relation symbols that occur in non-guard positions 
in the interpolant are required to occur both in the premise and the conclusion. 
As it turns out, this weakening of CIP is strong enough to entail the (non- 
projective) Beth Definability Property, which is one important use case of CIP. 
See also Section [7]for further discussion of weak forms of CIP. 

Another recent approach [35] is to develop algorithms for testing whether 
an interpolant exists for a given entailment. That is, rather than viewing Craig 
interpolation as a property of logics, the existence of interpolants is studied as an 
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algorithmic problem at the level of individual entailments. The interpolant exis- 
tence problem turns out to be indeed decidable (although of higher complexity 
than the satisfiability problem) for both GFO and FO? [35]. 


Additional results are known for UNFO and GNFO beyond the fact that 
they have CIP. In particular, CIP holds for their fixed-point extensions [DIS], 
interpolants can be constructed effectively, and tight bounds are known on the 
size of interpolants and the computational complexity of computing them [I]. 


Our paper can be viewed as an instance of abstract model theory for frag- 
ments of FO. One large driving force behind the development of abstract model 
theory was the identification of extensions of FO which satisfy desirable model- 
theoretic properties, such as the compactness theorem, the L6wenheim-Skolem, 
and Craig interpolation. One takeaway from this line of research is that CIP is 
scarce among many “reasonable” FO-extensions. An early result of Lindström 
showed that FO-extensions with finitely many generalized quantifiers and satis- 
fying the downward Léwenheim-Skolem property do not have the Beth property 
(and hence fail to satisfy CIP) [38]. Similarly, Caicedo [I7], generalizing an early 
result by Friedman |26], established a strong negative CIP result that applies 
to arbitrary proper FO-extensions with monadic generalized quantifiers. For a 
survey of negative interpolation results among FO-extensions, see [54]. These 
negative results not only show that CIP is scarce among extensions of FO, they 
also provide clues as to where, within the space of all extensions, one may hope 
to find logics with CIP. Our results can be viewed similarly, except that they 
pertain to (extensions of) fragments of FO. 


Our results can also be appreciated as characterizations of GNFO and of 
FO. While traditional Lindstrém-style characterizations are maximality theo- 
rems (e.g., FO is a maximal logic having the compactness and Léwenheim-Skolem 
properties), our results can be viewed as minimality theorems (e.g., GNFO is 
the minimal logic extending GFO and having CIP). 


Some prior work exists that studies abstract model theory for (extensions 
of) fragments of FO. Most closely related is [19], which studies modal logics 
and hybrid logics. Among other things, it was shown in [19] that the smallest 
extension of modal logic with the difference operator (ML(D)) which satisfies 
CIP is full first-order logic. Additionally, in [28], the authors identified minimal 
extensions of various fragments of propositional linear temporal logic (PLTL) 
with CIP. Furthermore, it was shown in [I9] that every abstract logic extending 
GFO with CIP can express all FO sentences and formulas with one free vari- 
able, and is thus undecidable. A crucial difference between this result and ours 
is that [I9] assumes signatures with constant symbols and concerns a stronger 
version of CIP, interpolating not only over relation symbols but also over con- 
stant symbols. In contrast, we only consider purely relational signatures without 
constant symbols. Other prior work on abstract model theory for fragments of 
FO are [13]15]27|. Repairing interpolation has also been pursued in the context 
of quantified modal logics, which typically lack CIP; in 2], the authors showed 
that CIP can be repaired for such logics by adding nominals, @-operators and 
the |-binder. 
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Outline. Section B]introduces the abstract model-theoretic framework. In Sec- 
tions [B] [4] and [5] we repair interpolation for FO?, GFO, and FF, respectively. In 
Section |6} we provide results showing that, even with weak expressive assump- 
tions, extensions of FO? and FL with CIP are undecidable. In Section |7| we 
discuss the implications and limitations of our results, and future directions. 


2 Preliminaries 


We assume familiarity with the syntax and semantics of FO. Signatures are 
denoted by o and 7, and are assumed to be relational and finite. If p contains 
only relation symbols occurring in g, then we write M,g H y to denote that a 
o-structure M satisfies y under the variable assignment g. We write £i, Yi, Zi, Ui 
to denote variables, and Z, ¥,Z,u to denote tuples of variables. We write ai, bi, Ci 
to denote elements of structures and @,b,é@ to denote tuples of such elements. 
Given a tuple of elements T = aj,...,@,, in a structure M, a tuple of variables 
T = %,...,%p, and a variable assignment g, we write g[z/a] to denote the 
variable assignment which is the same as g except that g(x;) = a; for each i < n. 
In order to state our main results precisely, we must formally define what we 
mean by extensions L’ of L (where L is some fragment of FO that lacks CIP). 
One option is to let L’ range over fragments of FO that syntactically include L. 
However, as it turns out, our main results apply even to extensions that are not 
themselves contained in FO. We therefore opt, instead, to work with an abstract 
definition of logics, as typically used in abstract model theory. 


Abstract Logics. An abstract logic (or logic) is a pair (L, =r), where L is a 
map from relational signatures ø to collections of formulas, and z is a ternary 
satisfaction relation. A formula of an abstract logic (L, =z) is an element of L(c) 
for some finite relational signature ø. L must be monotone: if o C 7, then D(a) C 
L(r). Each formula y has an associated finite set of free variables free(y), and 
we write y(Z) or y(a1,...,2%) to denote that the free variables of y are exactly 
those in the tuple T = 21,...,a,%. As in the case of FO, a formula g is a sentence 
if free(y) = Ø. We write sig(y) to denote the least signature o such that y € L(c). 
The ternary satisfaction relation zç is defined over triples (M, g, p), where y 
is an L-formula, M is a r-structure such that sig(y) C 7, and g is a variable 
assignment with free(y) C dom(g); we write M,g z y if this relation holds 
between these objects. The notions of logical consequence and logical equivalence 
for abstract logics are defined completely analogously to FO. In later sections, 
we will prefer to suppress the subscript L in the notation for the satisfaction 
relation and write L to denote an abstract logic (L, =z). Furthermore, we often 
write ọ € L rather than y € L(o), leaving the signature implicit. 

All abstract logics L are assumed to satisfy the reduct property and the re- 
naming property. The reduct property states that if o C r, then for all y € L(o), 
all r-structures M, and all assignments g, if M,g Fx y, then M [0,9 Ex vy. In 
other words, the truth of a formula of an abstract logic L in a structure depends 
only on the interpretations of the symbols in the signature of that formula. The 
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renaming property states that if p : 0 — 7 is an injective map preserving the 
arity of relation symbols, then for each formula y € L(c), there is a formula 
w E€ L(r) such that for all r-structures M, we have that M, g z w if and only 
if o™+[M], g Ex p, where p~'[M] is the o-structure with the same domain as M 
where, for each R € ø, we have that Re M] — p(R)™. Intuitively, the renaming 
property states that if a formula over a signature o can be expressed in a logic 
L, then the formula obtained by renaming all of its relation symbols can also be 
expressed in L. 

For arbitrary abstract logics L, the Craig interpolation property states that if 
y Ex w for L-formulas ọ and y, then there exists a formula V € L(sig(y)Nsig(w)) 
with free(v) = free(y) N free(q) such that y =z V and V Ey Y. 

We say a formula y of a logic L expresses a formula w of a logic L’ if free(y) = 
free(w), sig(y) = sig(wW), and for all structures M and assignments g, we have 
that M,g Ex vy if and only if M, g Ex Y. We say that a logic L’ is an extension 
of a logic L (notation: L < L’) if L’ can express all formulas of L. An FO- 
fragment can then be precisely defined, without reference to syntax, as a logic of 
which FO is an extension. We say that L’ is a sentential extension of L (notation: 
L Xsent L’) if L’ can express all sentences of L. 

Let L be a logic and w(a1,...,%n) be an L-formula. We write [y]™ for 
the collection of tuples (a1,..., an) E M” such that there exists an assignment g 
where M, g = w and g(a;) = a; for each i < n. Given formulas w1,...,%, E€ L(c), 
ao-structure M, and relation symbols R,,..., Rẹ € o with |free(w;)| = arity(R;) 
for each i < k, we define M[R,/v1,...,Rr/e] to be the o-structure with the 
same domain as M and such that R Fe /%tee e/V] [wi] for each i < k. 


i 
We now describe a syntax-free notion of uniform substitution for formulas of an 
abstract logic. 


Definition 2.1. Let L be a logic and yp € L(c) with Ri,..., Rp € sig(y), where 
for each i < k, we have that R; is a ki-ary relation symbol. Furthermore, let 
Yp1,...,Yk E L(c) be formulas with |free(ypi)| = ki for each i < k. We say that 
L expresses the substitution of 4%1,..., Yp for Rı,..., Rp in ọ if there exists a 
formula x € L(c) such that, for every o-structure M, 


M,g = X = M[Rı/41,;.--, Rr/Prk], g H p. 


Most studies in abstract logic assume that the logics under study are regular, 
roughly meaning that they can express atomic formulas, Boolean connectives, 
and existential quantification. In other words, to study regular logics is to study 
extensions of FO. Since we are interested in a more fine-grained view of logics 
including FO-fragments, these assumptions are too strong. As a result, the first 
step of studying extensions of FO-fragments from the perspective of abstract 
logic is to identify natural expressive assumptions for those extensions which are 
strictly weaker than regularity. We do this in the respective sections. 

Some of our proofs will use second-order quantification (for expository rea- 
sons only), and we recall the semantics of these quantifiers here. Given a formula 
p € L(o U{P}) of some abstract logic L, we can form new formulas 3Pọ and 
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VPy with signature o and the same free variables as y. Given a o-structure M 
and an assignment g, the semantics of these formulas are defined as follows: 


M, g  APy if there is a ø U {P}-expansion M’ of M 
such that M’, g = ọ, and 

M, g | YPọ if for all ø U {P}-expansions M’ of M, 
we have that M’,g Ky. 


If L itself does not allow second-order quantification, we can view Py and VPy 
as elements of L’(c) for a suitable extension L’ of L. In particular, if y is an 
FO-formula, then 3Py and VPy are formulas of second-order logic (SO). 


3 Repairing Interpolation for FO? 


The two-variable fragment (FO?) consists of all FO-formulas containing only two 
variables, say, x and y, where we allow for nested quantifiers that reuse the same 
variable (as in dry(R(x, y) A dx(R(y,x))), expressing the existence of a path of 
length 2). In this context, as is customary, we restrict attention to relations of 
arity at most 2. It is known that FO? is decidable but does not have CIP [23]. 


3.1 Natural Extensions of FO? 


While FO? is restricted to only two variables and predicates of arity as most 2, it 
has no restriction on its connectives: it is fully closed under Boolean connectives 
and existential and universal quantification. Because of this fact, we will consider 
in this section those abstract logics which are strong extensions of FO?. 


Definition 3.1. We say that a logic L’ strongly extends a logic L if L’ extends 
L and, for each formula p E€ L’ with Ri,...,Re E sig(y), where p expresses 
some p € L, and all formulas %1,..., Yp E€ L', we have that L’ expresses the 
substitution of w1,...,U,% for Ry,..., Rk in ọ (cf. Definition[2. 1). 


Intuitively, Definition [3.1]means that L’ can express uniform substitutions of 
its formulas into formulas of L. In other words, the notion of a strong extension 
is a syntax-free way to say that L’ extends L and is closed under the connectives 
of L. In particular, if L strongly extends FO?, then L can express all of the usual 
first-order connectives: for Wo and Yı expressible in L, it must also be the case 
that 7wW9, Yo A Y1, and Axrwo are expressible in L, under the usual semantics of 
these connectives. Clearly FO? is the smallest strong extension of itself. 


3.2 Finding the Minimal Extension of FO? with CIP 


Recall that we write L <sen; L’ if every sentence of L is expressible in L’. Our 
main result in this section is the following. 


Theorem 3.1. If L is a strong extension of FO? with CIP, then FO Xsent L. 
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Proof. We will show by induction on the complexity of formulas that, for every 
FO-formula (z1 ..., £n) there is a sentence Y € L over an extended signature 
containing additional unary predicates P,,...,P,, that is equivalent to 


Jx... £n(( \ P,(xi) AVy(Pily) > y = i)) A p(@1,.--,2n))- 


t=1...n 


In other words, ~ is a sentence expressing that y holds under an assignment 
of its free variables to some tuple of elements which uniquely satisfy the P; 
predicates. In the case that n = 0 (i.e., the case that ọ is a sentence), we then 
have that w is equivalent to y, which shows that FO sent L. 

The base case of the induction is straightforward (recall that we restrict 
attention to relations of arity at most 2). The induction step for the Boolean 
connectives is straightforward as well (using the fact that L is a strong extension 
of FO?, and thus can express all connectives of FO?). In fact, the only non- 
trivial part of the argument is the induction step for the existential quantifier. 


Let y(a1,...,2n) be of the form Jzn41p'(£1...., En, n41). By the inductive 
hypothesis, there is an L-sentence w with sig(w) = sig(y’) U {Pi,..., Papih, 
where P,,..., P41 are unary predicates not in sig(y’), which is equivalent to 
da,.. «natn (( \ P;(xi) AVy(Pily) > y = zi) )) A (Tiss in Enr): 
i<n+1 


Now, let 7)’ be obtained from w by replacing every occurrence of Pa+1 by P’ for 
some fresh unary predicate P’; this is expressible in L by the renaming property. 
Furthermore, let 


y(x) := WA Pysi(a), and 
x(x) = (P' (z) A Yy(P' (y) > y =2)) > y. 


(where zx is either of the two variables we have at our disposal; it does not matter 
which). Since L strongly extends FO?, both can be written as an L-formula. Then 


y(x) = x(x). 


Let V(x) € L be an interpolant. Observe that since P,+1 occurs only in q(x) 
and P’ only in x(x), the following second-order entailment is also valid: 


Prii7(a) = (e) = VP'x(2). 


It is not hard to see that 3Pp+17(x) and YVP'x(x) are equivalent. Indeed, both are 
satisfied in a structure M under an assignment g precisely if M’, g H p, where 
M' is the expansion of M in which Pa+ı denotes the singleton set {g(£n+1)}. 
It then follows that V(x), being sandwiched between the two, is also equivalent 
to 4P,417(x). This implies that V(x) is the unique interpolant (up to logical 
equivalence) of the entailment y(x) } x(a), and so it is expressible in L. Then 
since L strongly extends FO?, it can express JaJ(x). We claim that this sentence 
satisfies the requirement of our claim. To see this, observe that 3xV(x) is equiv- 
alent to 4a4P,417(x), which is equivalent to 3P,,41, which clearly satisfies the 
requirement of our claim. 


= 
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4 Repairing Interpolation for GFO 


The guarded fragment (GFO) [I] allows formulas in which all quantifiers are 
“guarded.” Formally, a guard for a formula vy is an atomic formula œ whose free 
variables include all free variables of y. Following [80], we allow a to be an equal- 
ity. More generally, by an 4-guard for p, we will mean a possibly-existentially- 
quantified atomic formula Jz whose free variables include all free variables of 
p. The formulas of GFO are generated by the following grammar: 


g:=T|R&)|rt=yl~paAv|evy|-y| azar y), 


where, in the last clause, a is a guard for y. Note again that we do not allow 
constants and function symbols. 

In the guarded-negation fragment (GNFO) [4], arbitrary existential quantifi- 
cation is allowed, but every negation is required to be guarded. More precisely, 
the formulas of GNFO are generated by the following grammar: 


p:=T|R@)|rtz=y|pAgv|eve|iary|ar-y, 


where, in the last clause, a is a guard for yp. 

As is customary, the above definitions are phrased in terms of ordinary guards 
a. However, it is easy to see that if we allow for 4-guards, this would not affect 
the expressive power (or computational complexity) of these logics in any way. 
This is because, when the variables in the tuple & do not occur free in y, as is 
the case when 4% is an 4-guard for y, then we can write JT8 A^ ọ equivalently 
as 4z(3 A ọ). In other words, an 4-guard is as good as an ordinary guard. We 
call an FO-formula self-guarded if it is either a sentence or it is of the form aA y 
where a is an J-guard for . 

In this section, we will require the notions of conjunctive queries (CQs) and 
unions of conjunctive queries (UCQs). A CQ is an FO-formula of the form 


p(@1,.--,%n) = Jy... Sym ( A ai), 

ier 

where each q; is an atomic relation, possibly an equality, whose free variables are 
among {21,..-,;%n,Y1,---;Ym}- The collection of all CQs is expressively equiva- 
lent to the fragment FO3,, of first-order logic, which is generated by the following 
grammar: 


p:= R(z1,... £k) |r =y |y A^y | acy. 

A UCQ is a finite disjunction of CQs. Importantly, GNFO can be alterna- 
tively characterized as the smallest logic which can express every UCQ and is 
closed under guarded negation [4]. This is made explicit in the following expres- 
sively equivalent grammar for GNFO: 


g := T | R(X) |x = y| a Ang | qRi/ei,---;Rn/ Pn), 


where q is a UCQ with relation symbols Rı,..., Rn and Y1,..., Yn are self- 
guarded formulas with the appropriate number of free variables and generated 
by the same recursive grammar. We refer to this as the UCQ syntax for GNFO. 
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4.1 Natural Extensions of GFO 


Unlike FO?, guarded fragments are peculiar in that they are not closed under 
substitution. For example, Jry(R(x,y) ^A aS(«,y)) belongs to GFO, but if we 
substitute x = x Ay = y for R(x,y), we obtain Jry(@ =x Ay =yA-7S(z,y)), 
which does not belong to GFO (and is not even expressible in GNFO). GFO and 
GNFO are, however, closed under self-guarded substitution: we can uniformly 
substitute self-guarded formulas for atomic relations. We generalize the notion 
of a self-guarded formula to abstract logics L as follows: a formula (z) € L(c) 


with free(y) = {x1,..., £p} is self-guarded if there is a n-ary relation symbol 
G € o, where n > k, and a tuple of variables 7 containing exactly the variables 
free(y) U {z1,..-,; Zm}, such that for all o-structures M and assignments g, 


M,g =Y = M,g E 3z... IzmG). 


Intuitively, we can think of a self-guarded L-formula as a conjunction of the 
form a Aw, where a is an J-guard for Y. We can then capture the notion of 
self-guarded substitution for abstract logics by the following definition. 


Definition 4.1. We say that an abstract logic L expresses self-guarded sub- 
stitutions if, for each formula p € L with Rı,..., Rpg E sig(y), and all self- 
guarded formulas Y%1,..., Yk E L, we have that L can express the substitution of 


U1,---,Wr for Ri,..., Rk in ọ (cf. Definition |21}. 


It was shown in [4| that every self-guarded GFO-formula is expressible in 
GNFO. In particular, this applies to all GFO-sentences and GFO-formulas with 
at most one free variable (since all such formulas can be equivalently written as 
x = x ^ p). It is therefore common to treat GNFO as an extension of GFO. To 
make this precise, we say that L’ is a self-guarded extension of L if L’ can express 
all self-guarded formulas of L (notation: L <sg L’). In Figure [I] the line marked 
(*) indicates that GNFO extends GFO in this weaker sense. Furthermore, it is 
worth noting that GNFO is also not closed under implication, while GFO is. If it 
were, then GNFO would be able to express full negation (using formulas of the 
form y — L). However, GFO and GNFO both have disjunction and conjunction 
in common. We formalize all of these considerations into the following notion. 


Definition 4.2. A guarded logic is a logic L such that 


1. GFO zy L, 
2. L expresses self-guarded substitutions, and 
3. L expresses conjunction and disjunction. 


Clearly, GFO and GNFO are both guarded logics. Furthermore, observe that 
the smallest guarded logic consists of all conjunctions and disjunctions of self- 
guarded formulas of GFO. 
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4.2 Finding the Minimal Extension of GFO with CIP 


Our main result in this section is the following. 
Theorem 4.1. Let L be a guarded logic with CIP. Then GNFO < L. 


In other words, loosely speaking, GNFO is the smallest extension of GFO 
with CIP. It is based on similar ideas as the proof of Theorem but the 
argument is more intricate. The main thrust of the argument will be to show 
that our abstract logic L can express all positive existential formulas, from which 
it will follow easily that L is able to express all formulas in the UCQ syntax for 
GNFO. Toward this end, the main technical result is the following proposition. 


Proposition 4.1. Let L be a logic with CIP that can express atomic formulas, 
guarded quantification, conjunction, and unary implication. Then FO3,, < L. 


Here, we say that a logic L can express guarded quantification if, whenever 
y € Land a is a guard for y, L can express Jz(a ^g); we say that L can express 
unary implications if, whenever y € L and a is an atomic formula with only one 
free variable, L can express a > 4. 

The following definition is used in the proof of Proposition 


Definition 4.3. Let p be a formula in FO3,,, let Y = y1,.--,Yn be a tuple of 
distinct variables, and let P = P,,...,P,, be a tuple of unary predicates of the 
same length. Then BIND,, p.P) is defined recursively as follows: 


BIND, ,p(@) = Igla A Agcicn Pilyi)) 
BIND; ,p(¢ ^ Y) = BIND,_,p(¢) A BIND, P(Y) 
BIND,,,p(Azp) =3z 2(BIND», ,p(W)); 


where a is an atomic formula (possibly an equality). 


The BIND, _,p Operation applied to a formula p € FOs,, wraps each atomic 
subformula of p with quantifiers for the variables in y, and adds additional 
unary predicates for these variables. Thus, the free variables of BIND; npe), 
for J = yi,---;Yn, are exactly free(y) \ {y1;---, Yn}, which justifies our use of 
the word “BIND”. The utility of this definition is due to the following fact: for 


any y € FOs,,, whenever M,g = BIND; p(% ), and the interpretation in M 


of each unary predicate P; in P is a singleton, then M, g’ = y, where g’ is 
the extension of g which maps each y; to the unique element satisfying P; (cf. 
Propositions (4.4). The following proposition is a simple consequence of the 
definition of BIND. 


Proposition 4.2. For all FO3,,-formulas p and for all x,y and P,Q, if = and 
y are disjoint, then BIND x5. Pol? ) = BIND, ,p(BIND,,_,a(¢))- 


z= P 
A formula ọ is clean if no free variable of y also occurs bound in y, and 
y does not contain two quantifiers for the same variable. Every FO-formula is 
equivalent to a clean FO-formula, and all subformulas of a clean formula are also 
clean. We now state two technical propositions, whose proofs can be found in 
the full version of this paper [20]. 
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Proposition 4.3. For every clean FO3,,-formula p, for every tuple of distinct 
variables J = yi,---,Yn (with each y; € free(y)), and for every tuple of unary 
predicates P = P,,..., Pn, we have that 


( A Pin) E p > BIND; p(y). 


Proposition 4.4. For every clean FO3,,-formula p(x, Y) with Y = yi,---5Yn 
distinct from x, and for every n-tuple of unary predicates P = P,,...,P, not 
occurring in p, we have that 


Aep(x,9) =VP(( A Pilyi)) > 3eBIND,,,p(o(e,9))). 


t=1...n 
The following lemma enables the proof of Proposition 


Lemma 4.1. Let L be an FO-fragment which can express atomic formulas and 
is closed under guarded quantification, conjunction, and unary implication. If L 
can express a formula p E€ FO3,, and all of its subformulas, then for all tuples 
J of variables, we have that L can express BIND,, ,p(¢). 


Proof. We show by strong induction on the complexity of clean FO3,,-formulas 
y that this proposition holds. 


Base Case 
Suppose vy is an atomic formula. Fix an arbitrary tuple 7 = y..., yn. Then 


BIND, p(y) = I^ N Pilyi)), 


l<i<n 


which L can express by closure under conjunction and guarded quantification. 


Inductive Step 

Suppose inductively that, for all formulas w of lesser complexity than y, and all 
tuples Z of variables, we have that L can express BIND, p(w). Fix an arbitrary 
tuple y of variables. 


Suppose that y = Yı A %2. Since L can express y and all of its subformulas, 
it can also express 1, %2, and all of their subformulas. Then by the inductive 
hypothesis, L can express BIND, (v1) and BIND, 5(¥2). Then by closure 
under conjunctions, L can express BIND; .5(~1) A BIND, ,p(2), which is the 


same as BINDz, p(y) (cf. Definition [4.3). 


Now suppose that y(%,y) = 3zY(z,J, z), where the (possibly empty) tuple z 
consists of all free variables of y not in the tuple y. We need to show that L 
can express BIND, ,p((Z,¥)), which is the same as 4z(BIND,_,5(¥(Z, 9, z))) 
(cf. Definition [4.3). Since L can express vy and all of its subformulas, it can also 
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express wy and all of its subformulas. Then, by the inductive hypothesis, L can 
express BIND, _,p(), whose free variables are those in the tuple %z, as well as 
BIND... ,9p(¥), whose only free variable is z. Since L is closed under conjunction 
and guarded quantification, it follows that L can express 


(z) := 32(G(T, z) ABIND, p(Y)) and = dz(z = z A BIND, ,op(¥)), 


where G is a fresh relation symbol not occurring in Y. Then by closure under 
unary implications, we have that L can also express 


= (A ila) > dz(z = z ABIND =, ,gp(?)). 


Claim: q(T) = y(Z) 
Proof of claim: By Proposition [4.2] 

BIND.., ,op(w) = BIND, ,(BIND,, , (0). (1) 
Then by applying Proposition [4.3] and inverting the hypotheses, we have 


BIND; p(t) H (A Q:(2:)) + BIND, sgp (0). 


From this, it follows (because z is distinct from x; variables) that 


32(BIND3 p (%)) F (A Qi(2:)) > 32BINDz7 gp (V), 


and therefore y(T) = x(z). This concludes the proof of the claim. 


Since L can express both 7(%) and y(Z), we have by the Craig interpolation 
property that L can express some Craig interpolant (z). Since G and the Q; 
predicates do not occur in y, they do not occur in (z), and therefore, the 
following second-order implication is valid: 


IG7(Z) = 0) = VOx@ 


). 
It is easy to see that 3Gq(T) = 4zBIND,, p(¥). Similarly, it follows from 


Proposition and equation (1) that VOX 7) zBIND,, p(y). Therefore, 


V(T) = AzBIN (4). In particular, 3zBINDz, p(y) is expressible in L. 


DP 
We are now ready to prove Proposition restated below. 


Proposition 4.1. Let L be a logic with CIP that can express atomic formulas, 
guarded quantification, conjunction, and unary implication. Then FO3,, < L. 


Proof. By strong induction on the complexity of FO3,,-formulas. The base case 
is immediate, since L can express all atomic formulas. For the inductive step, if 
yp := Yı A, then by the inductive hypothesis, L can express pı and p2, and so 
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by closure under conjunction, L can express p. Now suppose (g) := 3z (y(x, 7)). 
By the inductive hypothesis, together with closure under guarded quantification, 
L can express 


VY) = Iz(G (x,y) AY). 
Furthermore, by Lemma L can express BIND, ,p(%), and therefore, by 
closure under guarded quantification and unary implications, L can express 


x) = (A Pi(ys)) > Je(a = z A BIND, p(y). 


Claim: +(y) = x(¥). 
Proof of claim: It is clear that y(y) = day. Furthermore, by Proposition 
Y = (A; Pi(y)) BIND,» (), from which it follows that Jay = x(g) (since 


p] 
the variable x is distinct from y1, ..., Yn). Therefore, y(y) H| x(g). 


Let (y) be an interpolant for y(y) = x(y) in L. Since G and the predicates 
in P do not occur in w, the following second-order entailments are valid: 


aIGAr(G(zx,y) A Y) = v) = YPCA P;i(yi)) > 3xBIND;p(%)). 


It is easy to see that 


JGAr(G (x,y) Aw) = Iry. 
Furthermore, by Proposition [4.4] 


p= VP((/\ Pi(yi)) > BIND, ,p(v)). 


from which it follows (since x is distinct from y1,..., Yn) that 


Fay = vP((/\ P,(y;)) > JeBIND,, ,p()). 


Therefore, 3(Y) = (7), and so we are done. 


Our main result follows easily from Proposition the closure properties of 
guarded logics, and the UCQ characterization of GNFO. 


Theorem 4.1. Let L be a guarded logic with CIP. Then GNFO < L. 


Proof. L can express self-guarded GFO-formulas, so it can express formulas of 
the form JT, where (6 is an atomic formula. Then since L can express self- 
guarded substitution, L can express guarded quantification. Furthermore, L can 
express all self-guarded formulas of the form a A =, where a and £ are atomic 
formulas such that free(a@) = free(3). Furthermore, for every formula y express- 
ible in L with free(w) C free(a), a A y is a self-guarded formula. Thus by ex- 
pressibility of self-guarded substitution, L can also express a A =(a A p), which 
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is equivalent to a A ~g; hence L can express guarded negation. If L can express 
vy, then by expressibility of guarded negation and disjunction, it can also express 
the formula (x = x A~P(x)) V p, which is equivalent to P(x) —> y. Hence L can 
express unary implications. Therefore, by Proposition [4.1] L can express all for- 
mulas in FO3s,,. Then by expressibility of disjunction, L can express all unions of 
conjunctive queries. The result then follows immediately from the UCQ-syntax 
for GNFO, by closure under self-guarded substitution. 


5 Repairing Interpolation for FF 


The fluted fragment (FL) [51] is an ordered logic, in which all occurrences of vari- 
ables in atomic formulas and quantifiers must follow a fixed order. In the context 
of ordered logics, we assume a fixed infinite sequence of variables X = (xj) ;e7+. 
A suffix n-atom is an atomic formula of the form R(zj,..., En), where £j, ..., En 
is a finite contiguous subsequence of X. FL is defined by the following recursion. 


Definition 5.1. For each n € N, define collections of formulas FL” as follows: 


1. FL” contains all suffix n-atoms, 
2. FL” is closed under Boolean combinations, and 
3. If p is in FL”*", then Arniiy and Vin. are in FL”. 


We set FL = Uncen FL”. 

The forward fragment (FF), introduced in [6], is a syntactic generalization 
of FL. We say that R(a;,...,2,) is an infix n-atom if £j,...,£n is a finite 
contiguous subsequence of X and k < n. FF is defined by the following recursion. 


Definition 5.2. For each n € N, define collections of formulas FF” as follows: 


1. FF” contains all infix n-atoms, 
2. FF” is closed under Boolean combinations, and 
3. If p is in FF”, then Janiiy and Vtn419 are in FF”. 


We set FF = Unen FF”. 


In contrast to the other logics we have seen, FL and FF do not allow the 
primitive equality symbol. It can be seen by a simple formula induction that 
every formula in FF” can be expressed by a formula in FF” for every n > k; it 
follows easily that FF can express arbitrary Boolean combinations of its formulas. 
However, FL cannot: P(x) and P(z2) are in FL, but P(a1) A P(x) is not 
expressible in FL. Although FF contains formulas which are not in FL, it is 
known that FF and FL are expressively equivalent at the level of sentences [7]. 
Furthermore, the satisfiability problems for FL and FF are decidable [48]7]. 
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5.1 Natural Extensions of FF 
Given a formula y, we write gfv(y) to denote the greatest n € Zt such that x, 


occurs free in y; if y is a sentence, then we set gfu(y) = 0. We define forward 
logics to capture the notion of a natural extension of FF. 


Definition 5.3. A forward logic is an abstract logic L such that 


1. L can express all infix n-atoms for every n € ZT, 
2. L can express all Boolean combinations of its formulas, and 
3. L can express Jzny and Yzny whenever L can express p and n = gfvu(y). 


We refer to the last property of a forward logic as expressibility of ordered quan- 
tification. Clearly FF is a forward logic, and every forward logic extends FF. 


5.2 Finding the Minimal Extension of FF with CIP 


Unlike the other fragments we have seen, one peculiar property of FF is that 
the logic is not closed under variable substitutions. This can be seen simply 
by considering relational atoms: for a 3-ary relational symbol R, the formula 
R(#1, £2,273) is in FF, but the formula R(x3, £1, £2) is not. Before proving our 
main theorem, we prove the following lemma asserting that whenever a formula 
is expressible in a forward logic L satisfying CIP, the result of making arbitrary 
substitutions for the free variables of the formula is also expressible in L. 


Lemma 5.1. Let L be a forward logic satisfying CIP, and let p(ai,,...,%i,) be 
a formula of first-order logic expressible in L, where x;,,...,%i, is not necessarily 
a contiguous subsequence of variables. Then for every map 


T: {i1,...,ip} > ZT, 


we have that L can also express p(@r(i,),+++5Ln(i,))- In other words, L is closed 
under renamings of free variables. 


Proof. For brevity, let T = 2j,,...,2,,, and let n(T) = @y(;,),---,Ln(4,)- Without 
loss of generality, assume that 7; < --- < i, (we can do this since the notation 
p(%i,,---,%i,) only indicates that the variables occur free, but says nothing 
about where or in what order they occur in the formula). Since L can express 
p(T), it can evidently express the following formulas, by the definition of a 
forward logic: 


2 
al 
I 
> 
Q 


main AN Tiit Niy \ Gin(La(im)) > Y(T) 


m<k m<k 


X(T) = N Paltin) > Iti o- Ien (OBA N Pn Gat) 


m<k m<k 
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Clearly y |= x, and so there exists an interpolant J. Hence 


dG,...Gry FV EVP,... Pex 


is a valid second-order entailment. Furthermore, it is easy to see that 


dG,...Gry =VP,...Prx = Q. 


Therefore, Y(£r(i1)»---, Tr(ip)) 18 expressible in L. 


We now prove our main theorem, which follows easily from Lemma [5.1] 
Theorem 5.1. Let L be a forward logic satisfying CIP. Then FO <x L. 


Proof. We proceed by formula induction on FO-formulas y. For the base case, 
clearly L can express all atomic FO-formulas by applying Lemma to an 
appropriate infix atom. For the inductive step, the Boolean cases are immediate 
since L can express all Boolean combinations. Hence the only interesting case 
is when y := da,w for some formula w. By the inductive hypothesis, L can 
express w. Applying Lemmaf5.1| L can also express y’, the result of substituting 
Zn+1 for all free occurrences of zk, where n = gfv(y), and leaving all other 
free variables the same. Then by expressibility of ordered quantification, L can 
express 4zv,+419’, which is equivalent to y. 


6 Undecidability of Extensions of FO? and FL with CIP 


In Section f] we showed that every strong extension of FO? with CIP can express 
all sentences of FO, and in Section [5] we showed that every forward logic with 
CIP can express all formulas of FO. These results suggest the undecidability of 
the satisfiability problems for such logics. In this section, we formalize this idea, 
showing that extensions of FO? and FL with CIP and satisfying very limited 
expressive assumptions are undecidable. These results rely primarily on known 
results on the undecidability of FO? and FL with additional transitive relations. 


Proposition 6.1. Every abstract logic L with CIP extending FO? or FL can 
express the following formulas: 


polz) = VaoVu3(R(x1, £2) A R(x2, £3) — R(xı,x3)), and 
Yı = WayVaroVa3(R(21,%2) A R(z2, £3) > R(x, £3)). 


The proof of Proposition [6.1] can be found in the full version of this paper 
[20]. We also need two additional definitions. First, an effective translation from 
a logic L to a logic L’ is a computable function which takes formula of y € L 
as input and outputs an equivalent formula y’ € L’. Second, we say that a logic 
L has effective conjunction if there is a computable function taking formulas 
y, wv € L as input and outputting a formula y € L which is equivalent to yA w. 
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Theorem 6.1. Let L be an extension of FL which satisfies CIP. Suppose fur- 
ther that there is an effective translation from FL to L, and L has effective 
conjunction. The satisfiability problem for L is undecidable if either 


1. L can express ordered quantification, or 
2. L can express negation. 


Proof. Let x be the sentence asserting the transitivity of the relation R. Since 
L has CIP and extends FL, it can express both (#1) and Yı by Proposition 
If L can express ordered quantification, it can express Vx W9(21), which is 
equivalent to x. If L can express negation, then it can express 7y, which is 
also equivalent to x. Since L, as an abstract logic, can express x and is closed 
under predicate renamings, it can express that any number of binary relations 
are transitive. Let X1, x2, and v3 be sentences expressing transitivity of binary 
relation symbols R1, R2, and R3, respectively. Let tr be an effective translation 
from FL to L. Then a formula ọ of FL with three designated transitive relations 
is satisfiable if and only if tr(p)^ x1 ^ X2^x3 is satisfiable. Since tr is computable 
and L is effectively closed under conjunction, this reduction is computable. Since 
the satisfiability problem for FL with three transitive relations is undecidable 
[46], the satisfiability problem for L is undecidable. 


It is also known that satisfiability is undecidable for FO?-formulas with two 
transitive relations [36]. Using this fact, along with Proposition we obtain 
the following theorem, by a similar proof to that of Theorem 


Theorem 6.2. Let L be an extension of FO? which satisfies CIP. Suppose fur- 
ther that there is an effective translation from FO? to L, and L has effective 
conjunction. The satisfiability problem for L is undecidable if either 


1. L can express universal quantification, or 
2. L can express negation. 


We remark that all forward logics and strong extensions of FO? with CIP, 
assuming appropriate effective translations and effective conjunction, meet the 
requirements of Theorems [6.1]and and hence are undecidable. 


7 Discussion 


In the introduction, we mentioned several results indicating the failure of CIP 
among many natural proper extension of FO. In [I4], van Benthem points out 
that there is a similar scarcity among FO-fragments as well. Our results in Sec- 
tions [3] and [5] may be interpreted as additional confirmation of this observation. 
Furthermore, one tends to study proper fragments of FO for their desirable com- 
putational properties, and so our broader undecidability results show that CIP 
fails for large swaths of decidable FO-fragments. However, there are a few no- 
table fragments for which the determination of a minimal extension satisfying 
CIP is still open, such as FL and the quantifier prefix fragments. 
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One limitation of our methodology and results is their dependence on a def- 
inition of Craig interpolation which mandates the existence of interpolants be- 
tween proper formulas, while many practical applications only require CIP for 
sentences. Throughout this paper, we have established expressibility of a formula 
v in a logic L by induction (and by constructing two formulas y and w such that 
p H w and arguing that every interpolant is equivalent to V). In general, this 
method is difficult to apply unless free variables are allowed; it is not clear how 
to apply this type of inductive argument if we were only concerned with the 
existence of interpolants for sentences of the logic. 

There are several well-studied properties strictly weaker than CIP. The A- 
interpolation property (also known as Suslin-Kleene interpolation) holds for a 
logic L if, whenever y | w, and (intuitively speaking) there is only one possible 
interpolant J up to logical equivalence for this entailment, then L contains a 
formula equivalent to V [5]. It is not hard to see that, unlike the Craig interpola- 
tion property, every logic L has a unique extension, denoted A(L), satisfying the 
A-interpolation property. In fact, in our proofs we only rely on A-interpolation; 
every application of the assumption that some abstract logic L satisfies CIP 
yields a provably unique interpolant, up to logical equivalence. Therefore, all of 
our results hold also when CIP is replaced by A-interpolation. 

Two additional weakenings of CIP are the projective and non-projective Beth 
definability properties. The projective Beth property states, roughly, that when- 
ever agUTU{R}-theory X implicitly defines a relation R in terms of the relations 
in g, then X entails an explicit definition of R in terms of ø (the non-projective 
Beth property being the special case for r = Ø). Many practical applications 
of CIP in database theory and knowledge representation require only the pro- 
jective Beth property. It is not immediately clear how to extend our method- 
ology to a systematic study of the (projective) Beth property among decidable 
FO-fragments. Indeed, GFO already satisfies the non-projective Beth property 
[33]. Given their applications, an interesting avenue of future work is to map 
the landscape of FO-fragments satisfying these properties. In the other direc- 
tion, minimal extensions of logics with uniform interpolation (a strengthening of 
CIP) were studied in [25], although with limited results so far (cf. [25] Thm. 14]). 
Some of the minimal extensions of PLTL fragments with CIP identified in [28], 
however, do satisfy uniform interpolation. 
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Abstract. We explain how to recast the semantics of the simply-typed 
A-calculus, and its linear and ordered variants, using multi-ary struc- 
tures. We define universal properties for multicategories, and use these 
to derive familiar rules for products, tensors, and exponentials. Finally 
we outline how to recover both the category-theoretic syntactic model 
and its semantic interpretation from the multi-ary framework. We then 
use these ideas to study the semantic interpretation of combinatory logic 
and the simply-typed A-calculus without products. We introduce ezten- 
sional SK-clones and show these are sound and complete for both com- 
binatory logic with extensional weak equality and the simply-typed A- 
calculus without products. We then show such SK-clones are equivalent 
to a variant of closed categories called SK-categories, so the simply-typed 
A-calculus without products is the internal language of SK-categories. 


Keywords: categorical semantics - abstract clones - lambda calculus - 
combinatory logic - closed categories - cartesian closed categories 


1 Introduction 


Lambek’s correspondence between cartesian closed categories and the simply- 
typed A-calculus is one of the central pillars of categorical semantics. One way 
of stating it categorically is to say that the syntax of typed A-terms over a sig- 
nature of base types and constants forms the free cartesian closed category (for 
a readable overview, see [27]9]). The existence of this syntactic model gives com- 
pleteness: if an equation holds in every model, it holds in the free one, and hence 
in the syntax. The free property then gives soundness: for any interpretation 
of basic types and constants in a cartesian closed category (C,II,=) one has a 
functor [—] from the syntactic model to C, which is exactly the semantic inter- 
pretation of A-terms. The fact this functor is required to preserve cartesian closed 
structure amounts to showing that the semantic interpretation is sound with re- 
spect to the usual $7-laws. All this justifies calling the simply-typed A-calculus 
the internal language of cartesian closed categories. 

This framework is powerful, but hides a fundamental mismatch: morphisms 
A —> B in a category are unary—they have just one input—but terms-in-context 
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such as zı : Á1,..., Zn : An H t: B can have many inputs. The standard solu- 
tion (e.g. DI23]) is to use categorical products to model contexts, so a term t as 
above corresponds to a map Tka A; > B out of the product. 

Despite its evident success, this solution remains somewhat unsatisfactory, 
in two ways (see also [21]). First, it forces us to conflate two different syntactic 
classes, namely contexts and product types. As a result, some encoding is re- 
quired to construct the syntactic model: the interpretation of x : A,y: BE t:C 
is a term in context p: A x B. This adds complexity to the construction, and 
results in the somewhat unintuitive fact that the semantic interpretation of a 
term t in the syntactic model may not be just t itself. In turn, this complicates 
the proof of completeness. 

Second, we are forced to include products in our type theory if we want a 
category-theoretic internal language—even though the calculus without products 
likely has a stronger claim to being called ‘the’ simply-typed A-calculus (e.g. see 
Church’s original definition [8]). This raises the question: what categorical struc- 
ture has the simply-typed A-calculus without products as its internal language? 


This paper. This paper has three main aims. First, to explain how removing 
the mismatch between terms-in-context and morphisms outlined above clari- 
fies the semantic interpretation of simply-typed A-calculi. To achieve this, one 
needs to move from the unary setting of categories to a multi-ary setting, in 
which we have multimaps A1,..., An — B. These ideas are not new, but are 
under-appreciated, and I hope this will provide self-contained introduction for 
a wider audience. Second, to initiate a multi-ary investigation of the semantics 
of (cartesian) combinatory logic, in the style of Hyland’s investigation of similar 
ideas for the untyped A-calculus ({I8[19]). Finally, to use these results to define 
a categorical semantics for the simply-typed A-calculus without products. 


Outline. In Sections [2] to [6] we explain how the multi-ary perspective yields a 
slick way to derive the unary semantic interpretation and syntactic model, to- 
gether with soundness and completeness results (Section |4.2). We also show how 
important type-theoretic constructions such as products and exponentials can 
be derived from the semantics. This framework accommodates different choices 
of structural rules, such as whether the language is ordered, linear, or cartesian. 

The idea of using multi-ary constructions goes back to Lambek (|25[26)), 
and has recently been exploited to great effect in a very general setting by 
Shulman [40]. Particular cases can also be found in the works of Hyland ([I8[19}), 
Hyland & de Paiva [20] and Blanco & Zeilberger [7]. A reader familiar with 
these approaches will likely be unsurprised by the technical development below. 
However, we believe these ideas deserve to be more widely known, so spend time 
making them explicit in a concrete setting. 

In Section|[7|we introduce a multi-ary model of (cartesian) combinatory logic, 
called SK-clones, and prove that the sub-category of extensional SK-clones is 
equivalent to the category of closed clones modelling simply-typed A-calculus 
without products. This provides a categorical statement of the classical corre- 
spondence between A-calculus and extensional combinatory logic (e.g. [5{15]). 
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Finally, in Section |8| we introduce a version of Eilenberg & Kelly’s closed 
categories ({IIJ10]), called S'K-categories, and show that the category of SK- 
categories is equivalent to the category of extensional SK-clones, and so to the 
category of closed clones. Hence, SK-categories are a categorical model for the 
simply-typed A-calculus without products. SK-categories are a cartesian version 
of the prounital-closed categories of Uustalu, Veltri & Zeilberger (4344|), which 
in turn are closely related to an (incomplete) suggestion of Shulman’s [39]. 

Jacobs has also isolated a structure that is sound and complete for simply- 
typed A-calculus without products [21]. His approach, which fits into his elegant 
general framework [22], is also predicated on a careful distinction between con- 
texts and products. His models are certain indexed categories, with the contexts 
encoded by the indexing: this makes them feel closer to multi-ary structures. In 
SK-categories, by contrast, contexts are modelled within the category itself by 
using the closed structure (cf. [35] §4.4]). Moreover, unlike other work relating 
closed categories to multi-ary structures, SK-categories do not force us to include 
a unit object in the corresponding type theory (cf. [BI]. 


Technical preliminaries. For a set S we write S* for the set of finite sequences 
over S, and use Greek letters I’, A,... to denote elements of S*. The empty string 
is denoted ©, and the length of I by |I|. Where the length of a sequence is clear, 
we write simply A, for A;,...,A,. Contexts are assumed to be ordered lists. 

We call multimaps of the form A — B unary and a multimap o > B nullary. 

We define a signature S to be a set |S| of basic sorts with sets S(T; B) 
of constants c : I — B for each (T, B) e |S|* x |S|. A homomorphism of 
signatures f :S > S’ is a map |f] : |S| > |S’| with maps S(Aj,..., An; B) > 
S'(fAi,...,fAn; fB) for each ((Ai1,...,An), B) € |S|* x |S]. We write Sig for 
the category of signatures and their homomorphisms. One could also consider 
versions of higher-order constants, which may use the language’s constructs. This 
extension does not change the theory significantly, and would require introducing 
multiple categories of signatures, so we do not seek this extra generality here (for 
an outline of this more general approach, see e.g. [38] §5.3.1]). 

We assume familiarity with the simply-typed A-calculus, as in e.g. [9]. We 
denote the simply-typed A-calculus with constants and base types given by a 
signature S, and both product and exponential types modulo a(/7-equality, by 
As’. We write Ag and AZ for the fragments with just products and just expo- 
nentials, respectively. Here we focus on the typed cases: the untyped versions— 
both in the syntax and the multi-ary models—are recovered by fixing a single 
base type * such that O(«,...,*) = x for each type constructor O. 

We also assume familiarity with the basics of cartesian categories, cartesian 
closed categories, and monoidal categories, as in e.g. [30/27]. To avoid having 
to treat the unit type as a special case, cartesian categories are assumed to 
have n-ary products [[,, for all n e N. We also work with functors preserv- 
ing structure strictly: this simplifies the exposition without any great loss of 
generality. Thus, MonCat, SMonCat and CartCat denote the categories of 
monoidal categories, symmetric monoidal categories, and cartesian categories, 
respectively, with functors preserving all the data on the nose. 
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2 Multicategories and clones 


We begin with an intuitive overview of the place of multi-ary structures in se- 
mantics. A multi-ary structure has multimaps A,,..., An — B with multiple 
inputs and one output; unlike the morphisms in a category, multimaps corre- 
spond directly to terms-in-context. As a result, it is often easier to construct a 
multi-ary free model than it is to construct a unary one, and the interpretation 
of a term-in-context t in the free model is given by t itself. Moreover, every 
multi-ary structure gives rise to a unary one by restricting to multimaps with 
one input. The multi-ary semantics therefore factors the unary one, as shown: 


multi-ary structures 


free restrict to unary maps 
S < (1) 
forget extend 


signatures categorical structures 


One can then ‘read off’ the syntactic category, together with a guarantee that 
it has the right structure, by restricting the free multi-ary structure to unary 
maps. Similarly, the usual semantic interpretation in (say) a cartesian closed 
category C is exactly the interpretation that arises by extending C to a multi-ary 
structure. This gives an algebraic justification for encoding contexts as products: 
this is how one extends a cartesian closed category to a multi-ary structure. (For 
the details of these points, see Section [4.2]) 

The multi-ary perspective also provides a unifying framework for type the- 
ories with different structural rules. The simply-typed A-calculus is cartesian: 
it admits the structural rules of weakening, contraction, and permutation (as 
in e.g. [D] Fig. 3.2]). The corresponding multi-ary structures are certain abstract 
clones. Ordered type theories (e.g. [24]36]), also known as planar type theories 
(e.g. [2]46]), do not admit weakening, contraction, or permutation, and corre- 
spond to certain multicategories. Linear type theories (e.g. [16]), which admit 
only permutation, correspond to certain symmetric multicategories (see also the 
alternative ‘tangled’ option in [83]). Since abstract clones and symmetric mul- 
ticategories may be seen as special cases of multicategories, we can develop a 
theory of how to add structure to cartesian, linear, and ordered type theories by 
analysing how to add structure to multicategories. 


2.1 Multicategories, clones, and their internal languages 


We now introduce multicategories and abstract clones and show how they cor- 
respond to certain type theories. An even more general framework for syntax, 
allowing multi-ary domains and codomains as well as both cartesian and linear 
contexts, is provided by Shulman’s recent work with polycategories [40]. Clones, 
and their correspondence with syntax, also play a key role in the ‘algebraic 
syntax’ programme of Fiore and collaborators initiated in [13] (see e.g. [2BH]). 


Definition 1 ([25]). A multicategory M consists of a set |M| of objects and 
sets M(I’; B) of multimaps for every I € |M|* and B € |M], together with 
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1. An identity multimap Id4 € M(A; A) for every A € |M]; 
2. For any Ay,...,An,B € |M] and (A; € |M]|*)i=1,...,n; a composition map 


M(A1,...,An; B) x Jhi M(4; Ai) > M(Aj,..., An; B) 
(t, (u1, ---,Un)) > to (uy,.-.,Un> 


subject to an associativity law and two unit laws (see e.g. [28) p. 35]). A mul- 
ticategory functor f : M — N consists of a map |f| : |M| — |N| with maps 
fa. B : M(A1,...,An;B) > N(fA1,...fAn; fB) for every A1,...,An, B E |M], 
such that substitution and the identity are preserved (see e.g. [28) p. 39]). 


Definition 2 ([82[20]). A symmetric multicategory consists of a multicategory 
M together with a symmetric group action: for each Ay,...,An E€ |M] and o € Sn 
one has (—)ea: M(Aj,..., An; B) > M(Agi,..., Aon; B) compatible with sub- 
stitution and satisfying unit and associativity laws (e.g. p. 54]). A symmetric 
multicategory functor is a multicategory functor which preserves the action. 


We write Multicat (resp. SMulticat) for the category of (symmetric) mul- 
ticategories and their functors, and write t: l — B for te M(I; B). 


Example 1. Every monoidal category (C,®, I) induces a multicategory TC. The 
objects are those of C, with multimaps (TC)(Aj,...,An;B) := C(®j_, Ai, B) 
for a chosen n-ary bracketing of the tensor product. This determines functors 
MonCat — Multicat, and SMonCat — SMulticat (see e.g. [28] p. 39]); we 
denote both of these by T. 


Lambek [25] essentially observed that every multicategory has an internal 
language, as follows. One identifies multimaps t : Aj,..., An — B with terms 
zı : Aj,...,%n : An F t: B, for a fixed ordering of an infinite set of variables 
{x1,@2,...}. The identity Id, is identified with the variable x : A, and the com- 
position operation becomes a formal substitution operation on the language. 
Stated in this way, the three axioms become well-known properties of substitu- 
tion: the unit laws say z[u] = u and t[21,...,%,] = t, and the associativity law 
is a linear version of the so-called Substitution Lemma (e.g. [5] Lemma 2.1.16]). 

The next result shows this terminology does not differ too much from the 
notion of internal language in the introduction. For a signature S and I := 
e n, Write Os for the ordered language generated by the two rules 
on the left below, and £s for the linear language generated by all three rules: 


ce S(T; B) (Ai H ui: Ai)i=1,..n O,x: A, y: B, A Ft: C 
z:Abka:A Ai,..., An E(u... Un): B O,y:B,x:A,AFt:C 


Substitution is defined as usual, so that the following rule is admissible: 


ti : Á1;..-; Zn: Ant t: B (A; F ui : Ai)i=1 
A1,- -, Án H tlur/z1,..-, Un/£n] : B 


With this rule as composition, Os and £s define a syntactic multicategory 
Syn(Os) and a syntactic symmetric multicategory Syn(£s), respectively. These 
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define left adjoints to the functors Multicat — Sig and SMulticat — Sig 
sending a (symmetric) multicategory M to the signature with objects |M| and 


constants {M(L; B)} pemi Bemi we denote both these functors by U. 


Lemma 1. Syn(Os) (resp. Syn(£s)) is the free multicategory (resp. symmetric 
multicategory) on S. 


Thus, the internal language of a symmetric multicategory is the core of 
Abramsky’s linear A-calculus [I]. To recover a cartesian language, we use (multi- 
sorted) abstract clones. These differ from multicategories in that the result of 
substituting (u; : A > Ai)i=1,2 into t : Aj, A: > B yields a multimap of type 
A > B, not A, A — B. Abstract clones are equivalently cartesian multicate- 
gories (see e.g. [I8]), but this formulation is less natural syntactically: it amounts 
to adding explicit duplication and deletion operations to the language. 


Definition 3. An abstract clone C consists of a set |C| of sorts and sets C(I; B) 
of multimaps for every T €|C|* and Be |C|, together with 
1. Projection multimaps a e C(A1,..., An; Ai) for every Ai,...,An € |C]; 
2. For every Aı,..., An, B € |C| and A € |C|*, a substitution operation 
C(Ai,..., An; B) x []f_,C(A; Ai) > C(A; B) 
(t, (ui... (tn) > tlui,...,Un| 


subject to an associativity law and two unit laws for any t € C(A1,..., An; B), 
(ui e C(B1,..., Bm; Ai)) and (vj e C(O; B;)) 


i=1,...,7 saleu m’ 


(His itl | sete eee | 50 [unun] = u o, ep eee, St 
A homomorphism of clones f : C > D consists of a map |f| : |C| > |D| and maps 
fa,,B ©: C(A1,.-.,AnjB) > D(fA1,...fAn; fB) for every A1,..., An, B € |C], 
such that f(p4*) = pil). and f(t[ui,...,Un]) = (ft)[fur,..., fun]. We write 


Clone for the category of clones and clone homomorphisms. 


Example 2 (cf. Example p. Any cartesian category (C, II) determines a clone 
PC with sorts the objects of C and (PC)(Aj,..., An; B) := C( [i1 Ai; B). 


We distinguish between clones and multicategories by using [...] for a clone’s 
substitution operation and <... for a multicategory’s composition operation. 
Every multicategory, and hence every clone, has an underlying category. 


Definition 4. The nucleus M of a multicategory or clone M is the category 
with the same objects and M(A, B) := M(A;B). This defines functors (—) : 


Multicat — Cat and (—) : Clone — Cat to the category of small categories. 


The internal language of a clone is a cartesian version of that for multicate- 
gories. Write As for the language below; substitution is defined as usual. 


(G=1,...,n) ce S(T; B) (A F us: AiJi=1,..n 
£1 : Á1,..-., En : Ån F Ti : Åi At &(u,...,Un):B 


Identifying variables with projections, we get a syntactic clone Syn(As). 
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Lemma 2. The canonical forgetful functor U : Clone — Sig has a left adjoint, 
and the free clone on S is Syn(As). 


Example 3. The languages A$, Ag and A% each induce syntactic clones we 
denote by Syn(Ag), Syn( Aş ) and Syn(A"~”), respectively. 


3 Universal properties for multicategories 


In this section we generalise the categorical notion of universal arrows (as in 
e.g. [B0] §3]) to give a notion of universal property for multicategories. This 
will provide a uniform way to introduce new connectives to a type theory. One 
could also define the required conditions directly (see [7J40]), but here we wish 
to emphasise that they arise from category-theoretic ideas. 


Definition 5 (cf. [17]). Let f:M—N be a multicategory functor. 


1. A universal arrow from f to Y e |N| is a pair (R e M],p : fR > Y) 
such that for every t : fA,,...,fAn — Y there exists a unique multimap 
t# : Ay,...,An > R such that po (f(t*)) = t. 

2. A universal arrow from Xj,...,Xn € |N| to f is a pair (R e |MI,p : 
X1,...,Xn > fR) such that for every t : X1,...,Xn > fB there exists 
a unique multimap t* : R — B such that f(t*) 0 <p) =t. 


We extend this definition—and hence our notion of universal property—to 
clones by using the next observation (cf. the fact a cartesian category is monoidal). 


Lemma 3. There is a faithful functor M : Clone > Multicat sending a clone 
C to the multicategory with the same objects and hom-sets, and composition 
given using substitution in C and the projections. 


Definition [5]does not involve ‘global’ conditions like naturality, so is particu- 
larly amenable to a type-theoretic interpretation. As in the categorical setting, 
however, it can be rephrased using natural isomorphisms (cf. [80], §3.2]). 


Lemma 4. Let f :M — N be a multicategory functor. 
1. Giving a universal arrow from f to X e |N| is equivalent to giving R € M and 
an isomorphism ba, : M(Ai,...,An; R) =, N(fAi,..., fAn; Y), natural in 
the sense that the left diagram below commutes for any t : Ay,...,An > B; 
2. Giving a universal arrow from X1,..., Xn E |NI to f is equivalent to giving 
R € |M| and an isomorphism wp : M(R; B) = N(X1,..., Xn; fB), natural 
in the sense that the right diagram below commutes for any u : B > C. 


M(B; R) — | _. N(fB;X) M(R; B) LR N(Xa,---, Xn; fB) 


(o| Joso u [rene 
M(Ai,..., An; R) ia N(fA1,..-, fAnj X) M(R;C) ae NX,..-,Xn; fC) 
A corollary is that giving a right adjoint to a multicategory functor f : N — M 


in Hermida’s 2-category of multicategories is equivalent to giving a mapping 
go : |M| — |N| and a universal arrow fg(X) — X from f to X for each X e |N]. 
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4 Product structure 


We now have enough to define products for multicategories, and hence for clones. 
An n-ary product is exactly a limit over the discrete category with n objects. 
Rephrasing in terms of universal arrows (e.g. [30] §3]) we get that equipping a cat- 
egory C with n-ary products is exactly equipping it with a universal arrow from 
the diagonal functor A : C > C*” to (Aj,...,An) for every A1,..., An EC. 
Since Multicat has finite products defined in much the same way as the 
category of small categories Cat, we may make the following definition. The 
prefix ‘cartesian’ is already used for multicategories, so we use ‘finite-products’. 


Definition 6. An fp-multicategory is a multicategory M equipped with a univer- 
sal arrow (Tha Aj, Gr, he me) from the diagonal functor A™ : M — M*” 
to (Ay,...,An) for every ne N and Aj,..., An € |M]. 


Asking for M to have finite products is Maar to asking for a product 
object []/_, A; and unary multimaps (7+ : JJ; Ai > Ai),_, _,, for each 
Aj,..-,An E |M], such that composition induces isomorphisms M(I; i A;) = = 
I M(T: ; Ai). In the internal language, this amounts to the following miles! 
(I H ti : Ag)i=t,....n 
p: [l4 H mis (p) : Ai Delt. ta: [h 4i (3) 


T WRK =h a a Wina (p)[u]) = u 


We can now derive the rules for & in linear À- aa m given 
I,x:A;,Ot t: B, from (3) we get T, p : Ih- Ai, OF tir : B. This 
suggests the following, Let OF (resp. ee) be the extension of a ae £s) with 


G= Tovey nr) 


T,x;,:Aj,QFt:C Abu: &,Ai (I F ti : AiJi=1,..,n 
T, A, O } let x; be piof uint: C YP E A O Og Ae 


let x; be p; of (u;);_, int = t[u;/zi] , (let z; be p; of u in r; =u 


where we write (u;)»"_, for <u1,..., Un). This syntax defines a free property. To 
see this, say a multicategory functor f (strictly) preserves finite products if it 
preserves all the data on the nose, so that f([]7_,Ai) = [f4 fré) = 
ni^, and f(<ti,...,tn>) = (fti,..., ftn>. Write fpMulticat for the category 
of fp-multicategories and product-preserving functors, and fpSMulticat for the 
subcategory of symmetric multicategories with finite products, with functors 


preserving both structures. 


Lemma 5. The composite forgetful functor fpMulticat — Multicat — Sig 
has a left adjoint, and the free fp-multicategory on S is Syn(O®). This extends 
to symmetric structure: replace fpMulticat by fpSMulticat and OÙ by LÙ. 


Returning to the cartesian setting, we define products in a clone using the 
corresponding structure for multicategories and Lemma B] 
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Definition 7. A cartesian clone (C,II) is a clone C equipped with a choice 
of finite products on MC. A (strict) homomorphism of cartesian clones is a 
clone homomorphism f that strictly preserves all the product structure. We write 
CartClone for the category of cartesian clones and strict homomorphisms. 


Writing m;(t) for the multimap nt *[t], the rules translate directly to the 
usual product rules of A-calculus. So cartesian clones exactly capture A”. 


Lemma 6. The composite forgetful functor CartClone — Clone — Sig has a 
left adjoint, and Syn( A% ) is the free cartesian clone on S. 


Using the characterisation of universal arrows in terms of natural isomor- 
phisms we get the following refinement of Example 


Example 4. For any cartesian category (C, II) the induced clone PC is cartesian, 
essentially by definition; this extends to a functor P : CartCat — CartClone. 


Moreover, if (C,II) is a cartesian clone, then so is its nucleus C. Hence (—) 
restricts to a functor CartClone — CartCat. 


The two functors in this example are actually adjoints, yielding our first 
version of the schema in (ip. The unit is identity-on-objects and sends t : 
Aj,...,A, —> B to tiré, r4]: TE AB. 


n 


Proposition 1. The functor (—) : CartClone — CartCat fits into the fol- 
lowing diagram of adjunctions: 


F (=) 
Sig 1 ` CartClone 1 ` CartCat 
— 
U P 
Moreover, U o P is equal to the canonical forgetful functor CartCat — Sig. 
Hence, the free cartesian category on S is canonically isomorphic to Syn( A% ). 


4.1 Cartesian structure from representability 


In the preceding section we defined products using a multi-ary version of the 
familiar universal property. There is another way to define ‘monoidal structure’ 
in a multicategory: Hermida’s representability [I7]. From the perspective of linear 
logic, the finite product structure explored above corresponds to the additive 
conjunction &; Hermida’s representability will correspond to the multiplicative 
conjunction &®. We shall also see that, for clones, the two are equivalent. 


Definition 8. A representable multicategory is a multicategory M equipped with 
a universal arrow (Tœ, 3 Xn) Px, © X1,---,Xn > T(M,... .Xn)) from 
X1,...,Xn to the identity idm for each Xı,..., Xn € |M]; we write T?_, X; for 
T(X1,...,Xn). These universal arrows must be closed under composition, so 


Mica Se Viigo te ee A) 
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must also be universal. A representable multicategory functor f is a multi- 
category functor that preserves all the universal arrows, so that f(Tj_, Ai) = 

"fA: f(oa.) = pra, and f(t*) = ft*. Write RepMulticat for the cat- 
egory of representable multicategories, and SRepMulticat for the category of 
representable multicategories whose underlying multicategories are also symmet- 
ric, with functors preserving both structures. 


Example 5 (cf. Example ph. The multicategory 7C induced by a monoidal 
category (C,®, I) is representable. We therefore obtain functors MonCat > 
RepMulticat and SMonCat — SRepMulticat; we denote them both T. 


A representable multicategory is a multicategory equipped with rules which 
are dual to those in in the sense that the universal arrow goes the other 
direction. Indeed, writing 1 ®...®©» for pA., and let (£1,..., £n) be pint for 
t#, and extending this to all terms by 


U1 ®...@ Un := (21 Q... Q An) [ur /21,...,Un/Ln| 
let (z1,..., Zn) be u int := (let (£1,..., £n) be pin t) [u/p] 
we obtain the following rules, where I := (x; : Aj)i=1,....n: 


(A; H u: Ai) i=1,...,n A, T,O et: B A Fu: a Åi 
Ai,...,An H Rir : a Ai * A,A, OF let (£1,...,£n)beuint: B 


(4) 


let (z1,..., 2n) be pint[@?_,2;/p] = t , let (z1,..., £n) be @/_,2; int =¢ 


We write OF (resp. £8) for the extension of Og (resp. £s) with these rules. 
This is essentially the tensor fragment of Abramsky’s linear A-calculus [I]. The 
connection with multicategories was already made in by Hyland & de Paiva [20], 
who showed this type theory arises from Lambek’s monoidal multicategories [26]. 


Lemma 7. The composite forgetful functor RepMulticat — Multicat — Sig 
has a left adjoint, and the free representable multicategory on S is the syntactic 
multicategory Syn(O®). The same holds for symmetric structure, if one replaces 
RepMulticat by SRepMulticat and O® by £2. 


Combining this lemma with Lemmaf] one sees that a multicategory equipped 
with representable and finite-product structure corresponds to a linear type the- 
ory with both ® and &. 

We can also obtain a linear version of Proposition [1] Hermida [17] showed that 
the 2-category of representable multicategories is 2-equivalent to the 2-category 
of monoidal categories, and Weber showed this extends to the symmetric case [45]. 
From these constructions one can extract functors 7 : RepMulticat — MonCat 
and Tsym : SRepMulticat — SMonCat sending a (symmetric) representable 
multicategory to a (symmetric) monoidal structure on its nucleus, together with 
equivalences RepMulticat ~ MonCat and SRepMulticat ~ SMonCat. So 
we get the following. 
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Proposition 2. The functors N and Nsym fit into the following diagram of 
adjunctions, where in each case the right-hand adjunction is an equivalence: 


RepMulticat SRepMulticat 
F N sym 
a ne I, tom 
Sig MonCat Sig SMonCat 


Moreover, Uo T and U o Tsym are both equal to the canonical forgetful func- 
tor to Sig. Hence, the free monoidal (resp. symmetric monoidal) category on a 
signature S is canonically isomorphic to N(Syn(O@)) (resp. N (Syn(£2))). 


We now turn to studying representability in the cartesian setting. 


Definition 9. A representable clone is a clone C equipped with a choice of rep- 
resentable structure on MC. A representable clone homomorphism is a clone 
homomorphism which preserves the representable structure as in Definition [5] 


A cartesian clone makes the projections primitive (recall D but a repre- 
sentable clone makes the pairing operation primitive (recall (4)). It turns out 
these perspectives are equivalent. In the proof-theoretic setting such ideas are 
well-studied (cf. the equivalence of G-systems and N-systems in [42] §3.3]); the 
categorical statement has also been made by Pisani [34] and Shulman [40]. 


Proposition 3. Equipping a clone C with representable structure is equivalent 
to equipping C with cartesian structure. 


In Proposition [2] we gave an equivalence of categories but in Proposition 
we only gave an adjunction. We can now upgrade the latter to an equivalence. 
Indeed, (—)oP is equal to the identity. On the other hand, if (C, II) is a cartesian 
clone then by Proposition B]and Lemma /4| we have a multi-natural isomorphism 
C(Ai, raeg An} B) > Cs Aj; B) = P(C)(Ai, es , Án; B). 


Corollary 1 ([34]). The functors P and (—) of Proposition[|| define an adjoint 
equivalence CartClone ~ CartCat. 


4.2 Recovering the semantic interpretation and syntactic model 


We now show how the usual semantic interpretation, syntactic model, and sound- 
ness and completeness results can be derived from the multi-ary framework. Al- 
though we shall not pursue the point in detail for reasons of space, essentially 
the same argument holds for all the calculi considered in this paper. 


Semantic interpretation and soundness. We recover the usual semantic in- 
terpretation of A* in a cartesian category by Lemma|6]and Example Hlas follows. 
Let U : CartCat — Sig be the functor sending a cartesian category (C, I) to 
the signature with objects those of C and constants {C([[j_, Ai, B) Ya Au Bec 
An interpretation s: © — UC of basic types and constants in C is exactly an 
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interpretation s : S — U(PC) in the induced cartesian clone. The unique ex- 
tension s[—] : Syn(Ag) — PC sends a term zı : Aj,...,%, : An Ft: Bto 
a multimap s[a, : A1,...,2, : An] —> s[B] in PC, which is exactly a map 
IL- s[Ai] > s[B] in C. It is not hard to show this coincides with the usual, 
inductively defined semantic interpretation. Unlike with the unary approach, we 
do not need to prove soundness with respect to 67 as a separate lemma: this 
holds immediately from the fact s[—] is a cartesian clone homomorphism. 
Moreover, for any objects A,,..., An in a cartesian clone one can construct a 
‘multi-isomorphism’ (A1,...,An) = []}_, Ai (see [38] Lemma 4.2.16]). Hence, in 
a cartesian simple type theory with products, contexts must coincide with product 
types. Together with the preceding, this provides a mathematical explanation for 
the identification of contexts and product types in the interpretation of A*?. 


Syntactic model. We extract the construction from Proposition |1| For a sig- 
nature S the cartesian category Syn( 4%) has objects the types of A$ and mor- 
phisms A — B given by a(@n-equivalence classes of terms x : A} t: B fora 
fixed variable x. Composition is substitution and the identity on A is the vari- 
able x : A. The projections are x : [["_, A; H 7ft (x) : A; and the pairing of 
the maps (x : C F ti : Aj)jn1.2 is ©: C H (ty, te) : Ay x Ag. The usual proofs 
that this is indeed cartesian (see e.g. [9] Chapter 3]) have been replaced by the 
simple observation of Example 


Completeness. Once again, the proof is largely category-theoretic. Note first 
that the functor (—) : CartClone > CartCat is faithful. One can prove this 
directly using Proposition Bor infer it from Corollary [I]and the fact any equiva- 
lence is fully faithful. In any case, it follows by standard results (e.g. [37] Lemma 
4.5.13]) that the unit n’ of the adjunction (—) 4 P is monic. Just as in Cat, 
any monomorphism of clones is injective on objects and injective on multimaps. 
It suffices, therefore, to find a semantic interpretation 1[—] which is equal to a 


component of 7’. This is accomplished by the next lemma. 


F F' 
Lemma 8. Let C 5 ° D z > E be adjunctions with units ņ : ide > UF 


and 1 : idp = U'F”. Then for any C €C, the unit npo : FC > U'F'FC is the 
unique map h such that the following diagram commutes: 


nof [unre 


C —,,— UFC 


In the setting of Proposition [1] this lemma implies that the component Nps : 


Syn(AZ) > P(Syn(AS)) of the unit for the adjunction (—) 4 P is exactly the 
unique cartesian clone homomorphism 1[—] extending the obvious interpretation 
L := S > Syn( A% ) of base types and constants in the free cartesian category. By 
our preceding discussion, this clone homomorphism is injective on multimaps: 
so if [t] = v[t’] then t = t in Syn(AQ), hence t =g, t’. 
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5 Closed structure 


To define closed structure, we follow Lambek’s definition and simply upgrade 
the hom-set definition of exponentials to multicategories. 


Definition 10 ([26]). A closed multicategory is a multicategory M equipped 
with an object |A, B] and multimap evala, B : [A, B], A —> B for every A,B € 
|M], such that composition induces isomorphisms as shown: 
AA 
M(T, A;B), =  M(I;[A, B] (5) 
eval, B0<(—),Id 4) 


A (strict) closed multicategory functor is a multicategory functor f which pre- 
serves all the data: f([A, B]) = [fA, fB], f(evala,s) = evalya,pa and f(At) = 
A(ft). We write ClMulticat for the category of closed multicategories and their 
functors, and ClSMulticat for the category of symmetric multicategories with 
closed structure, and functors preserving both of these. 


Example 6. If (C,®,1I,[—,=]) is a closed (symmetric) monoidal category then 
the induced (symmetric) multicategory TC is also closed. 


Closed multicategories allow us to model exponentials without requiring a 
tensor product. Writing out the rules in the internal language, we get the map 
A* in as the usual abstraction rule, and the evaluation map as the application 
f:A—~B,x«:At fa: B. We then see that A, f : A — Bix: AH- ulfaz/y]:C 
whenever A,y: B H u : C, so we recover a small adaptation of Abramsky’s rules 
for exponentials. Write O° (resp. £3°) for the extension of Os (resp. £s) with 
the following rules and the (67-laws familiar from A~: 


A,y:BEu:C Ot t:A—-oB r }v:A T,x:AHt:B 
A,O,T H uftv/y]: C * TeAa.t:A~B 
Lemma 9 ([20]). The composite forgetful functor CIMulticat > Multicat — 
Sig has a left adjoint, and the free closed multicategory on S is the syntactic 


multicategory Syn(Os°). The same holds for symmetric structure, if one replaces 


ClMulticat by ClSMulticat and O™ by &™. 


For the cartesian case, we follow the same procedure as in Section [4] 


Definition 11. A closed clone is a clone C equipped with a closed structure on 
MC. We write ClClone for the category of closed clones and clone homomor- 
phisms preserving the closed structure as in Definition [10] 


Example 7. If (C,II,=) is a cartesian closed category, the clone PC is closed. 


Definition recovers the usual 67-laws for exponentials in A~, complete 
with the weakenings that are usually implicit. Writing f x for eval, we get the 
following equations in the internal language when I’ := (a; : Aj)j=1,....n! 


(F£) [Ax .t)[£1/2£1,--.,En/£n]/f,x/£] =t , Ax. (f x)[t[£1/21,.--,£n/£n]/f] =t 


Lemma 10. The composite forgetful functor ClClone — Clone — Sig has a 
left adjoint, and the free closed clone on S is the syntactic clone Syn( Ag). 
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6 Cartesian closed structure 


The development above makes defining cartesian closed structure straightfor- 
ward. For reasons of space we restrict ourselves to the cartesian case, but similar 
remarks apply to the linear and ordered cases. 


Definition 12. A cartesian closed clone is a clone equipped with both closed 
structure and cartesian structure. We write CCClone for the category of carte- 
sian closed clones and homomorphisms that strictly preserve both structures. 


By Lemmas [6]and [10] we already have a free property . 


Lemma 11. The composite forgetful functor CCClone — Clone — Sig has a 
left adjoint, and Syn(Ag’”) is the free cartesian closed clone on S. 


The nucleus of any cartesian closed clone (C, II, =) is also cartesian closed: 
C(A x B,C) = C(A x B;C) = C(A,B;C) = C(A; B = C) = C(A, B SC) 


Similarly, by Examples [4]and for any cartesian closed category (C, IL, =) the 
induced category PC is cartesian closed. Proposition [1] then restricts as follows. 


Proposition 4. The functor (—) : CCClone > CCCat fits into the following 
diagram, in which the right-hand adjunction is an equivalence: 


F ©) 


Sig 1° CCClone =~" CCCat 
U P 


Moreover, UoP is equal to the canonical forgetful functor CCCat — Sig. Hence, 


the free cartesian closed category on S is canonically isomorphic to Syn( 4%? ). 


As in Section [4.2| the preceding two results are enough to recover the sound 
semantic interpretation of A*:~, and the usual syntactic model. 


7 Cartesian combinatory logic and SK-clones 


In this section we begin a multi-ary investigation of cartesian combinatory logic, 
and give a categorical statement of the classical correspondence between combi- 
natory logic and A?” (for which see e.g. [[5J6]). In Section [8] we shall use this to 
define SK-categories and show they are sound and complete for A~. 

We briefly recapitulate the rules of typed combinatory logic CLs over a sig- 
nature S; for a fuller account see e.g. [6]. Types are as in A~. Terms are given by 
the grammar t, u ::= x |c € S(T; B) | (tu) |S|K: we have variables, constants and 
an application operation as in A?” and, for any context I’ and types A, B and 
C, two combinators [+ Sigg: (A>(B=C)) = ((A=C)=(A=0C)) 
and I’ + KiB : A = (B = A). Substitution is as in A~, where the combinators 
Z € {S,K} satisfy Z[uy/21,...,Un/%n] = Z so that Z” is the weakening of Z°. 
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The correlate of 6-equality is weak equality =w, which is the smallest congru- 
ence containing Sxyz = (az) (yz) and Kay = a. The correlate of 67-equality 
is extensional weak equality =wext, which extends =w with the rule 


taps En = UU Ly 1,...,2p not free in t or t 


r= y ext (6) 


We write CL” for combinatory logic with weak equality and CLY°** for com- 
binatory logic with extensional weak equality. The usual encoding of CL” in A? 
sends S and K to Af . àg . Ax . (f x) (ga) and Az . ày . x, respectively. 

The next definition may be obtained by seeing that CL” can be presented 
as an algebraic theory, and that clones are equivalent to algebraic theories 
(e.g. [29]41]). We implicitly bracket application to the left, so t-u- v := (t-u) -v. 
We also write Oai for the weakening map C(I’; B) > C(A, I, O; B) sending 
t to ipa Kiia Bari |; when I" is empty we write just (—) 


Definition 13. An SK-clone is a clone C equipped with a mapping |—,=] : 
IC] x |C| > |C|, nullary multimaps S4.z,c € C(o;|[A, [B, C]], [[A, B], [A, CT) 
and K4, B € C(o; [A, [B, A]]) for every A,B,C e |C|, and a binary application 
operation (—-=) : C(I; [A, B]) x C(T; A) > C(I; B) for every I e€ |C|* and 
Be|C|, such that the following axioms hold whenever they are well-typed: 


(¢-u)[v1,..., Un] = tiv. Un] ufor] o (Ka,B)? -P1 + P2 = Py 


[AIBC] [A,B] A 


(Sa.B.c * P1: P2* P3 = (P1 P3) (P2: P3) 


A homomorphism of SK-clones is a clone homomorphism that preserves applica- 


tion, S and K: f(S4,B,c) = Sfa,fB,fo, f(Ka,B) = Kfa,fp and f(t-u) = ft- fu. 
We write SKClone for the category of SK-clones and their homomorphisms. 


Lemma 12. The composite forgetful functor SKClone — Clone — Sig has a 
left adjoint, and the free SK-clone on S is the syntactic clone Syn(CL$). 


A core feature of the syntax of combinatory logic, which is at the heart of 
the correspondence between the terms of CLY®* and A~, is the admissibility 
of bracket extension algorithms (see e.g. [5] §7.1|). To express this in the typed 
setting, we use the following notation. For a binary operation [—,=] on a set S 
we define [—;=] : S* x S — S inductively as follows: 


[>; B] =B _ , [A; B] = [A, B] ’ [T, A; B] = [T; [A, B]]| 


With this notation, bracket abstraction amounts to saying that if [ := (x; : 
Ai)i=1,...n and I H t: B in CL”, there exists a closed term o | t° : |I; B] 
such that t)" T1 ... Zn =w t. The extensionality axiom f6) then says that t° is 
unique: in other words, t> t? £1 ... £n is an isomorphism. 

We now translate this into clone-theoretic terms. For any SK-clone C we 
obtain the operation t+> t/ x, ... £n as the composite below: 


ales 


(=) -PI 


ins = (CoB) Serra) EER ere) e 
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For I’ := © this is just the identity. The admissibility of bracket abstraction 
in the syntax of CL” is then captured by the next lemma. Typically bracket 
abstraction algorithms restrict to closed constants, because an open constant 
may have no corresponding closed term. We restrict in the same way. Call a 
signature S nullary if S(T; A) = Ø whenever I’ # o, and write Sigg > Sig for 
the full subcategory of nullary signatures. 


Lemma 13. Let S be a nullary signature. Then for any I € |Syn(CLg)|* and 
Be |Syn(CL¥)| there exists a map (—)° such that ir;g o(—)° = idgyn(cLy): 


Because bracket abstraction is defined by induction on the syntax, we cannot 
straightforwardly define it in an arbitrary SK-clone. We can, however, consider 
the sub-category of SK-clones (= semantic models of CL”) which admit bracket 
abstraction in the sense that each ir.g has a retraction. The extensional models 
are then those for which this retract (—)° also satisfies uniqueness. 


Definition 14. An SK-clone C is extensional if for every I € |C|* and Be |C| 
the map ir.p defined in E) is invertible. We write SKCloneext for the full 
subcategory of SKClone consisting of just the extensional SK-clones. 


Lemma 14. The composite forgetful functor SKClonesxt — Clone — Sigo 
has a left adjoint, and the free extensional SK-clone on a nullary signature S is 
oe) 


the syntactic clone Syn(CLs 


7.1 Extensional SK-clones are closed clones 


In this section we outline why SKClone,,; is equivalent to ClClone, thereby 
giving a category-theoretic equivalence not just between the syntax of CLY®t 
and A?” but also between their models. The proof uses extensionality or the n- 
law to pass from arbitrary multimaps to nullary ones, from which one can build 
a strict closed clone. We shall rely heavily on the following simple observation. 


Lemma 15. Let C be a clone and X := {X (T; B) } reic were a family of sets 
together with an isomorphism {vr;a : C(I’; A) > X(T; A)} p4 between X and 


the hom-sets of C in the functor category [IC]* x |C], Set]. Then X acquires a 
canonical clone structure and v becomes an isomorphism of clones. 


We now introduce strict closed clones. 


Definition 15. A strict closed clone is a closed clone (C, =, eval) such that 
every A^ : C(I, A; B) > C(I’, A = B) is the identity. We write ı : Cl\Clones, > 
ClClone for the full subcategory consisting of just the strict closed clones. 


Any closed clone (C, =,eval) determines a strict closed clone SC and a 
clone isomorphism Ac : C —> SC by applying Lemma [15] to the isomorphisms 
C(I; B) = C(o;f = B) arising from the closed structure. This extends to a 
functor S : ClClone > ClClone,, sending f : (C,=,eval) —> (D, =, eval) to 
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the composite Ap o f o AG 1. A short calculation shows that the isomorphisms A 
make S : ClClone S ClClone,, : « into an equivalence of categories. 

We play a similar game for turning extensional SK-clones into (strict) closed 
clones. Indeed, for any extensional SK-clone we have isomorphisms C(I; B) = 
C(o;[L; B]) defining a strict closed clone LC with (LC)(I; B) := C(o;[I; B]), 
and hence a functor L : SKCloneext > ClClone,; in a similar fashion to S. 

Finally, for any closed clone (C, =, eval) we get an extensional SK-clone EC 
with the same underlying clone by taking application to be application in A”, 
so t-u:= eval, a(t, u], and encoding the combinators as usual. 


Theorem 1. There exist equivalences of categories 


ley] 


SKClone,,; . ~ © ClClone, | ~ © ClClone. 
S 


E’:=Eou 


8 A categorical model of A?” 


In Propositions |1]and [4] we recovered a unary semantic interpretation of A* and 
A*:~ from our clone-theoretic ones. But we do not have a corresponding result 
for A~. In this section we fill this gap: we introduce SK-categories and show they 
play the role for A?” that cartesian closed categories play for A*’~. Our definition 
is inspired by closed categories ({L1J10}), which axiomatise an ‘internal’ version 
of the hom-functor C(—, =) in the form of a functor [—, =] : C°P x C > C. Closed 
categories have a unit object, corresponding to requiring a unit type (cf. [3I]); 
our definition avoids this (see also [39/43]). 

Recall that in the presence of contravariance, dinaturality and extranaturality 
are the right replacements for naturality (see e.g. [80] §IX.4]). 


Definition 16. An SK-category consists of a category C and functors [—,=| : 
C°? x C >C and U : C — Set, together with 


1. Maps Sc,p,s : [C,[D, E]] > [[C, D], [C, E]] dinatural in C and natural in 
D and E; 

2. Maps KS : D > [C, D] extranatural in C and natural in D; 

3. Maps £c,p : U[C, D] x UC > UD extranatural in C and natural in D; 


This data is subject to the condition that U o[—,=] = C(—, =) :C°P x C > Set 
and the 7 axioms of Figure [La] An SK-functor (F, ġ, y) is a functor F : C + D 
with natural transformations as below, such that the axioms of Figure [Tb] hold. 


co x e EOE, Do xe C— es 
Y 
Ha) = |Ha hos 


We call (F, ġ, Y) strict if ọ is the identity, and write SKCat for the category of 
SK-categories and strict SK-functors. 


Clones, closed categories, and combinatory logic 177 


(U[C, [D, E]] x U[C, D]) x UC 


ra See UD x UC > U[C, D) |x UC 


(UIC, [D, BI] x UC) olle, ® Py 


(1) x (U[C, D]) x UC) xU[C, D] x UC 
exe| |= g zia 
1xue e% U[C,C] x UC 
U[D, E] x UD U[C, E] x UC 
Bn Pa (3) Ss 1 
U[D, E] x U[C, D] 2 U[C, E] 


(4) UK xia f 


U[C,[D, E]] x U[C, D] ———> U|[C, D], [C, E]] x U[C, D] 


USxid 


[LX, A], [LX, B], [X, alll lia, KP] 


[C, E] == [C, [D, E]] 
pasy” = (6) r| Tex? ay 


[[X, 4], [X,[8,C] [IP A], [X, B] [LX, A], [X, Cll] 


[D, [C, E]] -> [[D, C], [D, Ell 
(5) J [isa 2 
Cie W n (c, g] T252, {c {D, E] 
[ia,S] [id,S] (7) s 
[X [4,8] [4C] —5> [P5 [A, BI] LX [4,011] Kan 


ILC, D], [C, EI] 


(a) Axioms for an SK-category. In (1) the unlabelled arrow is the canonical map 
((m171, T2), (1271, 72>): (X x Y) x Z > (X x Z) x (X x Z). In (3) we write ‘ido’ for 
the set map * > idẹ : 1 > U[C, C]. 


U*[C, D] —— c(C, D) 2225 D(FC, FD) rp =<, Fic, D] 
+| | won, |? 

U? FIC, D] T7 U?|[FC, FD] [FC, FD] 

uen xut —— uen FIG Pl => FCD E 
vxl fe e| Je 
U? FIC, D] x UPFC uPpp [FC FLD. E]] [FIC, D], F[C, E]] 
wom, el [roa 

U?[FC, FD] x UPFC [FC, [FD, FE]] [F[C, D], [FC, FE]] 


teil 


[LFC, FD], [FC, FE]] 


DH 


(b) Axioms for an SK-functor 


Fig. 1: Extra axioms for Definition 
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We think of UC as the set of multimaps o — C and € as a formal applica- 
tion operation (—-=). Axioms (1) and (2) are the weak equality laws from CL. 
Axioms (3) and (4) ensure compatibility between the category structure and the 
corresponding CL constructions: for example, axiom (3) implies U(f)(x) = f- x, 
and axiom (4) says that composition coincides with S (K —) (=), corresponding 
to the weak equality S (K f) gx = f (gx). Axioms (5) — (7) are coherence laws. 

Every extensional SK-clone determines an SK-category. Because we follow [II] 
and ask for an equality U[A, B] = C(A, B) in the definition of SK-categories, but 
in general an extensional SK-clone (C,[—,=],5,K,-) only has an isomorphism 
C(A; B) = C(o;[A, B]), we need to strictify in the same manner as Section 
As a notational shorthand, we write |,B and B’ for the closed multimaps satis- 
fying the equations below in the internal language of C (see e.g. [15]6]): 
j4 


T, pgP=>0,A>B,A (BAT ARGA 


The category NC has objects |C| and hom-sets (NC)(A, B) := C(0;[A, B]) 
(cf. {14]). The identity on A is l4 and the composite of t and t is B-t-t’. For 
U we take UA := C(0; A) with the action on maps given by application. For 
[—,=] the action on objects is given by the SK-structure, with the action on 
maps given by [X,t] := B-t and [t, X] := B’-t. The maps S and K are given 
by the corresponding combinators, and € is the application operation in C. This 
extends to a functor N : SKClone,,, > SKCat. 

The internal language of SK-categories is CLY®*, and hence A~. We write U 
for the functor which sends an SK-category (C,U,[—, =], S, K, £) to the signature 
with base types |C| and constants U[I, B]. 


Proposition 5. The forgetful functor U : SKCat — Sig has a left adjoint, and 
the free SK-category on S is N(Syn(CLg™')) = (No E)(Syn(AZ)). 


Using Theorem [I] we now obtain a version of Propositions [I]and [4]for A~. 


Theorem 2. The composite Nov: ClClones, — SKCat is invertible; hence 
we get the diagram below, in which the right-hand adjunction is an equivalence: 


F NoE 


Sig 1° ClClone œ~ı SKCat 
U Cl 


Moreover, U o Cl is equal to the forgetful functor SKCat — Sig, so the free 
SK-category on S is canonically isomorphic to (N o E)(Syn(A3’)). 


Recall that a closed monoidal category is a monoidal category (D, ®, I) such 
that every (—) ® D has aright adjoint |D, —], and that in a closed category C giv- 
ing every [C, —] a C-enriched left adjoint is equivalent to giving closed monoidal 
structure ({L1J10/43]). Theorem [2]and Proposition [4]imply a cartesian version. 


Corollary 2. Equipping a category C with cartesian closed structure is equiva- 
lent to equipping C with SK-structure and natural isomorphisms C(I,[C,D]) = 
C(C,D) and C(C@ D, E) = C(C,[D, E]) for every C, D,E €C. 
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Abstract. The recent years have seen remarkable progress in estab- 
lishing the complexity of the reachability problem for vector addition 
systems with states (VASS), equivalently known as Petri nets. Existing 
work primarily considers the case in which both the VASS as well as 
the initial and target configurations are part of the input. In this paper, 
we investigate the reachability problem in the setting where the VASS 
and the final configuration are fixed and only the initial configuration is 
variable. We show that fixed VASS fully express arithmetic with count- 
ing on initial segments of the natural numbers. It follows that there is 
a very weak reduction from any fixed such number-theoretic predicate 
(e.g. square-freeness or “Nj is the number of primes smaller than N2”) to 
reachability in fixed VASS where configurations are presented in unary. 
If configurations are given in binary, we show that there is a fixed VASS 
with five counters whose reachability problem is PSPACE-hard. 


1 Introduction 


Vector addition systems with states (VASS), equivalently known as Petri nets, 
are a fundamental model of computation. A VASS comprises a finite-state con- 
troller with a finite number of counters ranging over the non-negative integers. 
When a transition is taken, counters can be updated by adding an integer, 
provided that the resulting counter values are all non-negative; otherwise the 
transition blocks. Given two configurations of a VASS, each consisting of a con- 
trol state and an assignment of values to the counters, the reachability problem 
asks whether there is a path connecting the two configurations in the infinite 
transition system induced by the VASS. The VASS reachability problem has 
been one of the most intriguing problems in theoretical computer science and 
studied for more than fifty years. In the 1970s, Lipton showed this problem 
EXPSPACE-hard [18]. Ever since the 1980s [19, 14, 16], the reachability prob- 
lem has been known to be decidable, albeit with non-elementary complexity. 
This wide gap between the EXPSPACE lower bound and a non-elementary up- 
per bound persisted for many years, until a recent series of papers established 
various non-elementary lower bounds [5,6,15], and resulted in matching a re- 
cently established upper bound [17], showing the VASS reachability problem 
Ackermann-complete. The lower bounds for this result require an unbounded 
number of counters, but even for a fixed number of counters, the Petri net 
reachability problem requires non-elementary time [6, 7, 15]. 
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Main results. The main focus of this paper is to investigate the reachability 
problem for fired VASS, where the VASS under consideration and the final 
configuration are fixed and only the initial configuration forms the input to 
a reachability query. Here, it is crucial to distinguish between the encoding of 
numbers used to represent counter values in configurations: in unary encoding, 
the representation length of a natural number n € N is its magnitude n whereas 
in binary encoding the bit length of n € N is [logn] + 1. It turns out that 
establishing meaningful lower bounds under unary encoding of configurations is 
a rather delicate issue; a full discussion is deferred to Section 4. As a first step, 
we establish a tight correspondence between reachability in VASS and the first- 
order theory of initial segments of N with the arithmetical relations addition 
(+), multiplication (x) and counting quantifiers. An initial segment in N is a set 
N = {0,...,N} for some arbitrary but fixed N € N \ {0}. Relations definable 
in this family of structures are known as rudimentary relations and contain 
many important number-theoretic relations, cf. [9] and the references therein. 
For instance, the fixed formula PRIME() = ~(x = 0) A7(a@ = 1) ^A Yy < x Yz < 
x-a(a = y x z) evaluates to true in N precisely for all prime numbers up to N. 
The formula 4-*y (y < x) A PRIME(y) evaluates to true if and only if there 
exist exactly z prime numbers smaller than zx. 

Given a fixed rudimentary relation ®(21,...,2,), we show how to construct a 
fixed VASS V and fixed polynomials pı, .. . , Pm such that ®(n1,..., Nng) evaluates 
to true in N if and only if there is a run in Y starting in (pi(N,71,...,Mk),---; 
Dm(N,n1,...,x)) and ending in a zero vector. It thus follows that reachability 
in fixed VASS under unary encoding of configurations is at least as hard as 
evaluating any rudimentary relation under unary encoding of numbers. Hence, 
reachability queries in fixed VASS can, e.g., determine primality and square- 
freeness of a number given in unary. From those developments, it is already 
possible to infer that reachability in fixed VASS with configurations encoded in 
binary is hard for every level of the polynomial hierarchy by a reduction from the 
validity problem for short Presburger arithmetic [21]. In fact, we can establish a 
PSPACE lower bound for reachability in a fixed VASS with five counters with 
configurations encoded in binary, by a generic reduction allowing to simulate 
space-bounded computations of arbitrary Turing machines encoded as natural 
numbers. A recent conjecture of Jecker [13] states that for every VASS V, there 
exists a fixed constant C such that if a target configuration is reachable from an 
initial configuration, then there exists a witnessing path whose length is bounded 
by C -m, where m is the maximum constant appearing in the initial and final 
configurations. Thus, assuming Jecker’s conjecture, reachability in fixed VASS 
under binary encoding of configurations would be PSPACE-complete. In the 
course of our work, we were not able to find any evidence that this conjecture 
is false. It is also worth noting that while all our results assume that the final 
configuration is fixed to a zero vector, we did not find any stronger lower bounds 
for the case where the final configuration is variable, and only the VASS is fixed. 


Related work. To the best of our knowledge, the reachability problem for fixed 
VASS has not yet been systematically explored. Closest to the topics of this paper 
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is the work by Rosier and Yen [22], who conducted a multi-parameter analysis 
of the complexity of the boundedness and coverability problems for VASS. 

However, the study of the computation power of other fixed machines has a 
long history in the theory of computation. The two classical decision problems 
for a computation model are membership (also called the word problem) and 
reachability. Membership asks whether a given machine accepts a given input; 
the (generic) reachability problem asks whether given an initial and a target 
configuration, there is a path in the transition system induced by a given machine 
from the initial configuration to the target configuration. The most prominent 
example of a reachability problem is the halting problem for different kinds of 
machines. Classically, the computational complexity of such problems assumes 
that both the computational model and its input word (for membership) or 
configurations (for reachability) are part of the input. However, these are two 
separate parameters. For example, in database theory, the database size and the 
query size are often considered separately, since the complexity of algorithms 
may depend very differently on these two parameters, and the sizes of these two 
parameters in applications can also vary a lot [26]. One approach to study such 
phenomena is to fix either the database or the query. More generally, the field 
of parameterised complexity studies the computational difficulty of a problem 
with respect to multiple parameters of the input. 

Returning to our setting, this means fixing either the machine or its input. In 
this paper, we concentrate on the former. The question can then be seen as fol- 
lows: in relation to a problem such as membership or reachability, which machine 
is the hardest one in the given computation model? For some models, the answer 
easily follows from the existence of universal machines, i.e., machines which are 
able to simulate any other machine from their class. A classical example here is a 
universal Turing machine. Sometimes the ability to simulate all other machines 
has to be relaxed, for example as for Greibach’s hardest context-free language 
[11]. Greibach showed that there exists a fixed context-free grammar such that a 
membership query for any other context-free grammar can be efficiently reduced 
to a membership query for this grammar. Similar results are known for two-way 
non-deterministic pushdown languages [23, 4]. 


2 Preliminaries 


We denote by Z and N the set of integers and non-negative integers, respectively. 
For N € N we write N to denote the set {0,..., N}. By [n,m] we define the set 
of integers between n and m: [n,m] = {k E€ Z |n < k < m}. By 0 we denote the 
zero vector (0,0...,0) whose dimension is clear from the context. 


Counter automata. A d-counter automaton is a tuple A = (Q, A, Ç, qo, qf), where 
Q is a finite set of states, A C Q x Zt x Q is the transition relation, ¢ : A > 
[1,d] U {T} is a function indicating which counter is tested for zero along a 
transition (T meaning no counter is tested), go € Q is the initial state, and 
qf E€ Q is the final state. We assume that qs does not have outgoing transitions. 
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The set of configurations of A is C(A) := {(q,n1,---,ma):¢E€ Q, n; EN,1< 
i < n}. A run ọ of a counter automaton A from a configuration cı E€ C(A) to 
Cn+1 E C(A) is a sequence of configurations interleaved with transitions 


ty te ta 
0 = Ci — C2 >... > Cn41 


such that for all 1 < i < n, ci =(q,m1,...,ma) and cipi = (r,mj,...,m)), 


-= t = (q, (A,---,2a),7) with m} = mj + zj for all 1 < j < d; and 
— mj =O if C(t) = j. 


Observe that we can without loss of generality assume that each transition 
t € A is of one of the two types: 


— either no counter is tested for zero along t, that is, ¢(t) = T, in which case 
we call it an update transition; 

— or t does not change the values of the counters, that is, ¢(t) = j for some 
1 < j < d and t = (q,0,r), in which case we call it a zero-test transition. 


We say that A is a vector addition system with states of dimension d (d- 
VASS) if A cannot perform any zero tests, i.e., Ç is the constant function assign- 
ing T to all transitions. We can now formally define the main decision problem 
we study in this paper. 


Problem 1. FIXED VASS ZERO-REACHABILITY 

Fixed: d-VASS A. 

Input: A vector æ € N? of initial values of the counters. 
Output: YES if and only if A has a run from (qo, Œ) to (qf, 0). 


Counter programs. For ease of presentation, we use the no- 

tion of counter programs presented e.g. in [5], which are 

equivalent to VASS, and allow for presenting VASS (and 1: goto 2 or 4 
counter automata) in a serialised way. A counter program 2: x —-=3 

is a primitive imperative program that executes arith- 3 goto 1 
metic operations on a finite number of counter variables. 4: 7 += 1 
Formally, a counter program consists of a finite set ¥ of 5: halt 

global counter variables (called counters subsequently for 

brevity) ranging over the natural numbers, and a finite Fig.1. Example of a 
sequence 1,...,m of line numbers (subsequently lines for counter program. 
brevity), each associated with an instruction manipulat- 

ing the values of the counters or a control flow operation. 

Each instruction is in of one the following forms: 


— x += c (increment counter x by constant c € N), 

— x —=c (decrement counter x by constant c € N), 

— goto Lı or Lə (non-deterministically jump to the instruction labelled by Lı 
or Lə), 

— skip (no operation). 
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We write goto L as an abbreviation for goto L or L, and also allow state- 
ments of the form goto Lı or Lə or ... or Lp. Moreover, the line with the largest 
number is a special instruction halt. In our examples of counter programs, we 
usually omit this last line if it is not referenced explicitly. 

An example of a counter program is given in Figure 1. This counter program 
uses a single counter x and consists of five lines. Starting in line 1, the program 
non-deterministically loops and decrements the counter x by three every time, 
until it increments x by one and terminates. 

To be able to compose counter programs, we describe the operation of sub- 
stitution, which substitutes a given line (which we always assume to have a skip 
instruction) of a counter program with the “code” of another counter program. 
Formally, let C1, C2 be counter programs with m: and mz lines respectively. The 
result of substituting line k, 1 < k < mı — 1, of C1 with C is a counter program 
Cy with mı + mz —1 lines obtained, intuitively, by calling C2 as a sub-routine in 
this line and when it halts returning control back to C1. Formally, the instruction 
corresponding to a line L, 1 < L < mı + mz, is defined as follows: 


— if L < k, it is the instruction of line L in C4, 
—ifk<L<m2+k-—1, it is the instruction of line L — k + 1 in Co, 
— if L= mə + k — 1, it is the instruction skip, 

— if mo + k < L, it is the instruction of line L — mg in C4. 


The line numbers in goto instructions are changed accordingly. We also con- 
sider a substitution of several counter programs. When specifying counter pro- 
grams, to denote substitution of another counter program we just write its name 
instead of an instruction in a line. Also, we write C1; C2 for 

1: Cy 
2: Co 
and C or Cə as syntactic sugar for the counter program: 
1: goto 2 or 4 
2: Ci 
3: goto 5 
4: Ca 

When C is a counter program, we write loop C as an abbreviation for the 

counter program 

1: goto 2 or 4 

2: C 

3: goto 1 
Hence, the counter program in Figure 1 corresponds to 

1: loop 

2: x—-=3 

3: x +=1 
We use indentation to mark the scope of the loop instruction. We also assume 
that if several instructions share the same line and are separated by a semicolon, 
they all belong to the scope of a loop. 
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Runs of counter programs. Exactly as in the case of VASS, a configuration of 
a counter program is an element (L, f) € N x N*, where L € N is a program 
line with a corresponding instruction, and f:¥” — N is a counter valuation. 
The semantics of counter programs are defined in a natural way: after executing 
the instructions on the line L, we either non-deterministically go to one of the 
specified lines (if the instruction on line L is a goto instruction), or, otherwise, 
we go to the line L + 1. After executing the last line, we stop. 

One can view a counter program as a VASS by treating line numbers as states 
and defining transitions as specified by the counter program, each labelled with 
the respective instruction. It is also easy to see how to convert a VASS into a 
counter program. 

A run of a counter program is a sequence o: (L1, fi) > (Le, fe) >... > 
(Ln, fn) of configurations defined naturally according to the described semantics. 
For example, (1, {x + 7}) > (4, {x > 7}) > (5, {x > 8}) is a run of the counter 
program in Figure 1. Given a run o: (L1, fi) > (Le, f2) >... —> (Ln, fn), we 
say that @ is terminating if Lı = 1 and the instruction on line Ln is halt, 
and zero-terminating if additionally f,(2) = 0 for all x € æ. We denote by 
valena(0, £) := fn(x) the value of the counter x at the end of a terminating 
run. Sometimes, we also want to talk about the value of a counter at a specific 
point during the execution of a run and define val;(0,2) to be the value of 
the counter x right before we execute the instruction on line 7 in the run ọ 
for the first time, i.e. val;(0,x) := f(x), where k is the smallest index such 
that L = i. For instance, in the example above, we have valena(0, £) = 8 and 
val4(e,x) = 7. We often construct counter programs that admit exactly one run o 
from a given initial configuration to a target configuration. In such a setting, we 
may omit the reference to ọ and simply write valenq(#) and val;(x). The effect 
eff(o): X > Z of a run ọ starting in (1, f1) and ending in (n, fn) is a map such 
that eff(o,7) = fr(a) — fı(x) for alla € X. 

For counter programs, the zero-reachability problem is as follows. 


Problem 2. FIXED COUNTER PROGRAM ZERO-REACHABILITY 
Fixed: Counter program C. 

Input: A vector æ € N? of initial values of the counters. 
Output: YES if and only if C has a zero-terminating run from a. 


3 Implementation of zero tests 


The structure of runs in arbitrary counter programs is very complicated and 
hard to analyse, and hence it is difficult to force a counter program to have 
a prescribed behaviour. One of the common ways to deal with this issue is to 
introduce some restricted zero tests, that is, some gadgets that guarantee that 
if a run reaches a certain configuration, then along this run, the values of some 
counters are zero at prescribed positions. In this section, summarising [5], we 
describe such a gadget in the case where the values of counters are bounded by 
a given number. The number of zero tests that can be performed this way is also 
bounded. For a counter v, we call this gadget zero-test(v), and later on we will 
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use it as a single instruction to test that the value of v is zero before executing 
it. 

In Section 4, the assumption that the values of the counters are bounded 
comes from the the fact that the corresponding values of the variables in rudi- 
mentary arithmetic are bounded. In Section 5, we enforce this property for more 
powerful models of computation and show how to simulate them with VASS. 

Let N € N be an upper bound on the value of a counter v. Then, we can 
introduce a counter ô and enforce the invariant f(v)+f(é) = N to hold in all the 
configurations of any run of our counter program. We achieve this by ensuring 
that every line containing an instruction of type v += c must be followed by 
a line with a ô —= c instruction. From now on, we make the convention that 
the instruction v += c is an abbreviation for v += c; —= c. This allows us 
to remove the hatted counters from our future counter programs whenever it is 
convenient for us, which will ease readability. So, if we choose an initial config- 
uration in which f(v) + f(é) = N, we have that this invariant holds whenever 
the zero-test gadget is invoked. 

We introduce auxiliary counters u1, u2 that will be tested for zero only in 
the final configuration, and hence have no hat counterpart. In the following, the 
instruction zero-test(v) denotes the following gadget: 


1: loop 

2: v += 1;6 -=1;u2 —= 1 
3: loop 

4: v—-=1,0+=1u.-=1 
5: ui —= 2 


Consider an initial configuration in which f(u1) = 2n and f(u2) = 2n - N for 
some n > 0. Initially, it is true that f(u2) = f(u): N. 


Lemma 1 ([5]). There exists a run of the counter program zero-test(v) that 
starts in a configuration with f(u2) > 2, f(u2) = flu): N, and ends in a 
configuration with f(u) = f(ur)-N if and only if f(v) = 0 in the initial 
configuration. 


Proof. The invariant f(v)+ f(ĉ) = N ensures that the loops on line 1 and line 3 
can each decrease the value of ug by at most N. Moreover, this can only happen 
if f(v) = 0 in the initial configuration. 


From a configuration with f(u2) = f(u1)- N, a run “incorrectly” executing the 
zero-test(v) subroutine can only reach a configuration with f(u2) > f(ur)- N. 
Observe that from such a configuration, we can never reach a configuration 
respecting the invariant f(u2) = f(ui)-N if the values of u1, uz are only changed 
by zero-test(v) instructions. Now, consider a counter v and a counter program 
C that modifies the values of counters u; and uz only through the zero-test(v) 
instruction. If we start in a configuration in which f(u1) = 2n and f(u2) = 2n-N 
for some n > 0, and we are guaranteed that any run of C cannot execute 
more than n zero-test(v) instructions, then after any run of C, we have that 
f(uz2) = f(u1): N only if the value of the counter v was zero at the beginning 
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of every zero-test(v) instruction. If all the counters that we are interested in 
are bounded by the same value N, we can use a single pair of counters u1, u2 to 
perform zero tests on all our counters. We subsequently call the counters u and 
uz testing counters. To summarise, using this technique, we can perform n zero 
tests on counters bounded by N via a reachability query in a VASS. 

Given a configuration (L, f), we say that (L, f) is a valid configuration if f 
respects the condition that f(u2) = f(ui)-N. A valid run is a run that starts in 
a valid configuration and ends in a valid configuration. Also, a counter program 
admits a valid run if there exists a valid run that reaches the terminal instruction 
halt. Observe that in every valid run the zero-test() subroutine does not change 
the value of the counter which is tested for zero, that is, this value remains zero. 
Only the values of the testing counters are changed. 

We now introduce components. Informally, a component is a counter program 
acting as a subroutine such that, if it is invoked in a configuration fulfilling the 
invariants required for valid runs, upon returning, those invariants still hold. 
Formally, a component is a counter program such that: 


— there is a polynomial p such that every valid run performs at most p(N) 
calls of zero-test() on all counters; and 
— the values of u; and uz are updated only by zero-test() instructions. 


We conclude this section with Lemma 2, which states that sequential composi- 
tion and non-deterministic branching of components yields components. We will 
subsequently implicitly make use of this obvious lemma without referring to it. 


Lemma 2. If C,,C2 are components then both C1;C2 and Cı or Cz are also 
components. 


Remark 1. Let V be a fixed VASS, and s = (qo,n),t = (qf, m) be a pair of its 
configurations. Given s and t, the FIXED VASS COVERABILITY problem asks 
where there exists a run in V from s to a configuration t’ = (qf, m’) such that 
m’ > m componentwise. Note that when simulating zero tests as described 
above, for each counter x except u,, u2, we have a counter ĉ such that the sum 
of the values of x and ĉ is always the same and is known in advance. Since 
the values of wu ;,w2 are never increased, we can introduce in the same way the 
counters ti, ûz, initially set to zero, so that u; +û; is constant for i = 1,2. Hence, 
by requiring that the final value of ĉ is at least the initial value of x, we make 
sure that the final value of x is equal to zero. Thus, in this setting, reachability 
queries reduce to coverability queries. 


4 Rudimentary arithmetic and unary VASS 


In this section, we provide a lower bound for the zero-reachability problem for a 
VASS when the input configuration is encoded in unary. We observe that there 
is a close relationship between this problem and deciding validity of a formula 
of first-order arithmetic with counting, addition, and multiplication on an initial 
segment of N, also known as rudimentary arithmetic with counting [9]. 
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4.1 Rudimentary arithmetic with counting 


For the remainder of this section, all the structures we consider are relational. 
We denote by FO(-+, x) the first-order theory of the structure (N, +, x), where 
+ and x are the natural ternary addition and multiplication relations. When 
interpreted over initial segments of N, i.e. sets {0,1,..., N}, for some fixed N € 
N, the family of the first-order theories is known as rudimentary arithmetic. Note 
that, in particular, for a predicate x + y = z to hold, all of x,y,z must be at 
most N. It thus might seem that after we fix N, a formula ®(x) can only express 
facts about numbers up to N. However, as discussed in [25] and [9], this can be 
improved to quantifying over variables up to N@ for any fixed d using (N +1)-ary 
representations of numbers. In other words, for any fixed d and formula ®(x), 
there exists a formula ®’(a) such that for any N € N and a € N”, we have that 
(N, +, x) H © (a) iff (N4, +, x) H (x). 

Rudimentary arithmetic can be extended with counting quantifiers. As de- 
scribed in [25], let rudimentary FOunC(+, x) be rudimentary FO(+, x) ex- 
tended with counting quantifiers of the form 37y (y). In this expression, the 
variable x is free and the variable y is bounded by the quantifier. The semantics 
of this expression is that there exist more than x different values of y such that 
the formula y(y) is satisfied. The paper [25] actually uses the counting quantifier 
4=*y p(y) to state that the number of such values is exactly x, which can be 
expressed as (a = 0A =3y y(y)) V (Py gly) A (a! +1 = 2) A7AP*y gly). 

Moreover, FOunC(+, x) can be extended to FOk-aryC(+, x), FO(-+, x) 
with k-ary counting quantifiers J-*y y(y). In this expression, x, y are vectors of 
the same dimension, and similarly to the previous case, all the variables of æ are 
free and all the variables of y are bounded by the quantifier. The semantics is 
that the k-tuple a is the (N + 1)-ary representation of the number of k-tuples y 
that satisfy p(y). As shown in [3], rudimentary FOunC(+, x) and rudimentary 
FOk-aryC(-+, x) have the same expressive power. In order to have a meaningful 
reduction to fired VASS, we are interested in the following decision problem: 


Problem 8. FIXED RUDIMENTARY FOk-aryC(+, x) VALIDITY 
Fixed: ®(a) € FOk-aryC(+, x). 

Input: N € N and a € N” given in unary. 

Output: YES if and only if (N,+, x) H (æ). 


4.2 Reductions between unary languages 


In order to study decision problems whose input is, for some constant k, a k-tuple 
of numbers presented in unary, and hence to analyse languages corresponding to 
them, we need a notion of reductions that are weaker compared to the standard 
ones that are widely used in computational complexity. The reason is that clas- 
sical problems involving numbers represented in unary, such as UNARY SUBSET 
Sum [8], have as an input a variable-length sequence of numbers given in unary. 
Hence, languages of such problems are in fact binary, as we need a delimiter 
symbol to separate the elements of the sequence. It is not clear how a reasonable 
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reduction from such a language to a language consisting of k-tuples of num- 
bers for a fixed k would look like. In particular, note that unary FIXED VASS 
ZERO-REACHABILITY is not the unary “counterpart” of binary FIXED VASS 
ZERO-REACHABILITY in the classical sense. Conversely, arithmetic properties of 
a single number, e.g. primality or square-freeness, require very low computational 
resources if the input is represented in unary. Hence, the notion of a reduction 
between such “genuinely unary” languages has to be very weak. 

In view of this discussion, we introduce the following kind of reduction. Given 
k > 0, a k-tuple unary language is a subset L C N*. We say that L is a tuple 
unary language if L is a k-tuple unary language for some k > 0. Let L C N* and 
M C N° be tuple unary languages, we say that L arithmetically reduces to M 
if there are fixed polynomials p,,...,pe: N* — N such that (m1,..., Mp) € L if 
and only if (pi(mi,...,™mx),---;pe(mi,---,Mr)) E€ M. 

We believe that this reduction is sensible for the following informal reasons. 
Polynomials can be represented as arithmetic circuits. To the best of our knowl- 
edge, there are no known lower bounds for, e.g. comparing the output of two 
arithmetic circuits with all input gates having value one [1], suggesting that 
evaluating a polynomial is a computationally weak operation. Moreover, in the 
light of sets of numbers definable in rudimentary arithmetic, it seems implausible 
that applying a polynomial transformation makes, e.g. deciding primality of a 
number substantially easier. 

For a formula ®, let Lø be the tuple unary language of yes-instances for 
FIXED RUDIMENTARY FOk-aryC(+, x) VALIDITY. Also, for a counter program 
C, define Lc as the tuple unary language of yes-instance for the FIXED COUNTER 
PROGRAM ZERO-REACHABILITY problem. The remainder of this section is de- 
voted to proving the following theorem. 


Theorem 1. For every formula ® of rudimentary FOk-aryC(+4, x), there ex- 
ists a counter program C such that La arithmetically reduces to Lo. 


This theorem can be viewed in two different contexts. On the one hand, it 
relates the computational complexity of the two problems using a very weak 
reduction as described above. On the other hand, it also relates the expressivity 
of two formalisms. Namely, the set of satisfying assignments for formulas of 
rudimentary arithmetic is at most as expressive as the composition of polynomial 
transformations with the sets of initial configurations for zero-reachable runs in 
counter programs. In particular, it shows that fixed VASS can, up to a polynomial 
transformation, decide number-theoretic properties such as primality, square- 
freeness, see [9] for further examples. Note that by Remark 1, an analogue of 
Theorem 1 holds for tuple unary languages of yes-instances of FIXED VASS 
COVERABILITY. 


4.3 Components for arithmetic operations 


Since there is no straightforward way to model negation with a counter program, 
we need to provide gadgets for both the predicates + and x of rudimentary 
FOk-aryC(-+, x) and their negations, and hence design a separate component 
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for each literal. However, these components may change the values of the counters 
representing first-order variables, and since a first-order variable might appear in 
multiple literals, we first provide a gadget to copy the value of a chosen counter 
to some auxiliary counter before it can be manipulated. 


Copy. We provide a counter program Copy[z, x’] with the following properties: 


1. it admits a valid run if and only if valena(a’) = valena(x) = vali (x); and 
2. Copy|x, x’] is a component. 


We implement Copy(z, x’] as follows: 


1: loop 

2: av’ -=1 

3: zero-test(x’) 

4: loop 

5: z —= l;xz' +=1,t+=1 
6: zero-test(x) 

7: loop 

8: t—-=la+=1 

9 


: zero-test(t) 

The loop on line 1 ensures that val4(x’) = 0. We do not do this for the auxil- 
iary counter t because any valid run sets valena (t) = 0. Observe that CoPy[z, x’ 
admits a valid run if and only if the loop on line 4 is executed val,(x) many 
times and the loop on line 7 is executed val4(t) = valı(x) many times which 
happens if and only if valena(a’) = valena(x) = vali (x). Moreover, any valid run 
performs 3 calls to the zero-test() subroutine, so CoPy([z, x’] is a component. 


Addition. We define a counter program ADDITION[z, y, z] that enables us to 
check whether the value stored in counter z is equal to the sum of the values 
stored in x,y. Formally, it has following properties: 


1. ADDITION[z, y, z] admits a valid run if and only if val; (x)+valı (y) = valı (z); 
2. ADDITION, y, z] is a component; and 
3. the effect of ADDITION[z, y, z| is zero on counters 2, y, z. 


We implement ADDITION[z, y, z] as follows: 
1: Copy([z, x]; Copy[y, y’]; Copy(z, 2’] 


2: loop 
3: z -=1 
4: xv’ —= 1 or y' -= 


5: zero-test(x’); zero-test(y'); zero-test(z’) 

It is easy to see that the first property is fulfilled by the counter program 
and that ADDITION[z, y, z] is a component because any run performs exactly 12 
class to zero-test() (9 calls on line 1, and 3 calls on line 5). The last property 
is true based on the properties of Copy. The component for the negation of the 
addition predicate is defined similarly. 
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Multiplication. We now define a counter program MULTIPLICATION, y, z] with 
the following properties: 


1. it admits a valid run if and only if valı (z) = valı (x) - valı (y); 
2. MULTIPLICATION(z, y, z| is a component; and 
3. the effect of MULTIPLICATION[z, y, z| is zero on counters x,y, z. 


We implement MULTIPLICATION[z, y, z] as follows: 


1: Copy([a, x']; Copy|y, y’]; Copy([z, 2’] 
2: loop 

3: loop 

4: a’ —= l;t += 1;z' -=1 

5: zero-test(x’) 

6: loop 

T: ve’ += l;t —= l; 

8: zero-test(t) 

9: y'—=1 


10: zero-test(y’); zero-test(z’) 

Observe that the loop on line 3 of any valid run must be executed val, (x) 
valı (x) many times in order to pass the zero test on line 5. The effect of this 
loop is then to decrease the value of z’ by val,(a) and to set the value of t to 
val; (x). Next, the loop on line 6 must be executed vals(t) = valı (x) many times 
to pass the zero test on line 8, so the value of x’ is set to valı (x) and the value 
of t is set again to zero. Hence, the effect of lines 3-8 is to subtract val; (x) from 
the value of z’ without changing the value of x’. Finally, any valid run passes the 
test on line 10 if and only if the loop on line 2 is executed vali (y) many times, 
which happens if and only if valı (z) = valı (x) - valı (y). Since we argued that 
the loop on line 2 is executed valı (y) many times, we conclude that any valid 
run of MULTIPLICATION|s, y, z| performs at most 2N +9 calls to zero-test(), so 
MULTIPLICATION[Z, y, 2] is a component. Again, the last property is ensured by 
the properties of Copy. The definition of sMULTIPLICATION|s, y, z] is similar. 


4.4 Components for quantification 


We define the remaining components that we need in order to prove Theorem 1. 
These components allow us to existentially and universally quantify over vari- 
ables in a bounded range. 


Existential quantifiers. We start with a counter program EXIsTs[v] with the 
following properties: 


1. for every n € N, Exists[v] admits a valid run o such that valena(o, v) = n; 
2. EXISTS[v] is a component. 


We define EXISTS|v] as follows: 
1: loop v —= 1 


Reachability in Fixed VASS: Expressiveness and Lower Bounds 197 
2: zero-test(v) 
3: loop v += 1 
It is easy to see that both properties hold, since ExIsTs[v] performs exactly one 
call to the zero-test() subroutine. 


Universal quantifiers. While the component used for simulating existential quan- 
tification can be sequentially composed with a component for a subformula, 
universal quantification requires directly integrating the component over whose 
variable we universally quantify. Let C[v] be a component that may access the 
counter v, test it for zero, and change its value on intermediate steps, but has 
overall effect zero on counter v. We write FORALL|v] : C[v] for the following 
counter program: 


1: loop 

2: v—=1 
3: zero-test(v) 
4: loop 

5: Cv} 

6: v+=1 
7: zero-test(é) 


The properties of FORALL[v] : C[v] are as follows: 


1. it admits a valid run if and only if for all n € N, C has a valid run with 
valı (v) = n; and 
2. FORALL[v] : C[v] is a component. 


Notice that the instruction on line 7 tests if val7(v) = N. Thus, any valid 
run that passes the test on line 7 must be able to execute C[v] for all values of 
v € N. Moreover, since C[v] is a component, we know that the number of calls 
to zero-test() it makes is polynomial in N. Denote this number by B. Then 
FoORALL|v] : C[v] executes at most N - B + 1 many calls to zero-test() and it 
is thus a component. 


Counting quantifiers. Finally, we design a component which is an extension 
of the FORALL|v] : C[v] component, where, as in the case of FORALL, Cv] 
has overall effect zero on v. Formally, Ex1istsC[z, v] : C[v] component has the 
following properties: 


— it admits a valid run if and only if there exist more than val,(a) different 
integers n € N such that C has a valid run with valı (v) = n 

— the overall effect on counter x is zero; and 

— EXIsTsC|[z, v] : Clu] is a component. 


We write EXISTSC[z, v] : Clu] for the following counter program: 
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1: loop 9: x +=1 
2: v—-=1 10: loop 
3: zero-test(v) 11: v+=1 
4: Copy[z, x'] 12: goto 13 or 10 
5: goto 6 or 9 13: Cluj; x' -=1 
6: zero-test (z’) 14: zero-test(z’) 
7: FORALL[v] : C[v] 15: halt 
8: goto 15 


The branching on line 5 checks whether valı (x) = N. If so, C[v] must have a 
valid run for all values of v, which is checked on line 7. Otherwise, the instructions 
on line 13 ensure that the value of x’ can be decremented if only if C[v] admits at 
least one valid run with the current value of v. Moreover, the zero test on line 14 
is passed if and only if C[v] admitted a valid run for more than valı (x) different 
values. Similarly to the FORALL case, since C[v] is a component, we have that 
it makes at most a polynomial number of calls to zero-test(). If we denote 
this number by B, the maximum number of calls to zero-test() performed by 
EXISTSC[x, v] : Clu] is bounded by N - B+ 5. Hence, it is indeed a component. 


4.5 Putting it all together 


Having defined all the building blocks above, we now prove Theorem 1, which is 
a consequence of the following lemma. 


Lemma 3. For any formula ®(a) of FOk-aryC(+, x), there exists a compo- 
nent C over k counters and polynomials p,,...,pr : N x N” > N such that for 
any N EN anda € N”, (N, +, x) = (x) if and only if C admits a valid run 
from the initial configuration (pı(N, æ), ...,pk(N,æ)). 


Proof. We prove this statement by structural induction on subformulas of ®. 
As shown in [3], rudimentary FOunC(+, x) has the same expressive power 
as rudimentary FOk-aryC(+, x). Since in our setting the formula is fixed, we 
can thus assume that ® € FOunC(+, x). Moreover, it is easy to see that we 
can assume that only 3°* is used as a counter quantifier, since I=” can easily 
be defined using it as described above. Finally, we can assume that negations 
appear in ® only in front of arithmetic predicates. In particular, =A°*y (y) is 
equivalent to (I>% y -(y)) A (£ +a! = N). 
The counters of the component C are defined to be: 


=x 


— a counter in vector xc corresponding to every free variable of ®(ax); 

— a counter in vector yo corresponding to every quantified variable of 6(x); 

— a counter in vector ac corresponding to every constant of ®(a); and 

— the auxiliary counters tc, £o, Yg, Co used inside the components for predi- 
cates and counting quantifiers described above. 


We initialise them as follows: 
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— fi(tc) = x and fı(ĉc) = N — z for each counter xo corresponding to a 
variable x in x; 

— fı(v) = 0 and fı(ĉ) = N for all the counters corresponding to quantified 
variables and constants, and auxiliary counters; and 

— for the testing counters, f;(u,) = 2N and fı(u2) = 2N - P(N), where the 
polynomial P(N) will be defined later. 


Assume first that a subformula y of ® consists of a single literal. Then, by 
using the previously defined components, we can construct a fixed component 
C’ corresponding to this literal. In C”, for every valid initial configuration (L, f), 
there exists a valid run starting in it if and only if ọ is true under the assignment 
of the values of the counters in (L, f) to the corresponding variables in y. If 
y is a Boolean combination of multiple literals, by simulating conjunction via 
sequential composition and disjunction by non-deterministic branching, we can 
construct a component Cy with the same property. 

We now need to show how to simulate the quantifiers. Let C be the compo- 
nent constructed for y. We then take 


— for Jy y: — for Vy y: — for 3°*y y: 
1: Exists[yc] 1: FoRALL[yc] : 1: EXISTSC[xc, yc] : 
2: Clyc] 2: Clyc] 2: Clyc] 


As noted above, to be able to use these components, we need to make sure 
that Clyc] has overall zero effect on the value of yc. This is indeed true, since 
the only place where the value of a counter yc is changed by a subroutine is in 
the component corresponding to the quantifier bounding y. 

The counter program C starts with a component Co that initialises the coun- 
ters a corresponding to the constants of P(x) by a sequence of instruction of 
the type a += c for a corresponding constant c appearing in ®(a#). Finally, we 
let C = Co; C1. By the properties established above, it is clear that C admits 
a valid run starting with fı defined above if and only if ®(a) is valid. To see 
that C is a component, it remains to note that at every step of the structural 
induction the number of calls to zero-test() is polynomial in N. Hence, there 
exists a polynomial P(N) such that the overall number calls to zero-test() per- 
formed by C is bounded by P(N). We conclude by reminding that we use this 
polynomial to initialise the value of the testing counter uz. 


To prove Theorem 1, add a loop repeating zero tests at the end of C, thus 
setting the values of the testing counters to zero if and only if the invariant 
described in Section 3 holds. After that, set to zero all the remaining counters 
(including the hatted counters) by decrementing them in loops. A run in thus 
constructed counter program is zero-accepting if and only if it is valid. 

As proved in [3], rudimentary FOk-aryC(<) has the same expressive power 
as FOk-aryC(+4, x). Hence, an alternative proof for Theorem 1 is to express 
k-ary counting quantifiers without the need for components for addition and 
multiplication. However, this approach is more technical and less insightful. 
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5 A universal VASS for polynomial space computations 


The goal of this section is to show that there is a fixed 5-VASS whose zero- 
reachability problem is PSPACE-hard, provided that the initial configuration is 
encoded in binary. Let us first remark that we can actually use the techniques 
developed in the previous section to prove that for every i, there exists a fixed 
VASS V; such that deciding zero-reachability for V; is NP-hard. A result by 
Nguyen and Pak [21] shows that for every i, there is a formula ®; of so-called 
short Presburger arithmetic such that deciding ®; is XF-hard. Applying bounds 
on quantifier elimination established in [27], it can be shown that quantification 
for formulas of short Presburger arithmetic relativises in a certain sense to an 
initial segment N for some N € N whose bit length is polynomial in the size of 
®;. Hence, by combining the results from [21] with Lemma 3, it is possible to show 
that zero-reachability for fixed binary VASS is hard for the polynomial hierarchy. 
We do not explore this method further because we can actually construct a fixed 
binary VASS such that the zero-reachability problem is PSPACE-hard for it and 
which has a smaller number of counters than the fixed binary VASS obtained 
from showing NP-hardness via the reduction from short Presburger arithmetic 
outlined above. 

We proceed with our construction as follows. We start with the halting prob- 
lem for Turing machines (TMs) working in polynomial space and show that this 
problem is PSPACE-hard even if the space complexity of the TM is bounded 
by the length of its encoding and its input is empty. In Proposition 2, we then 
reformulate the halting problem as follows: given the encoding of such a machine 
as an input to a universal one-tape TM U, does U accept? 

We then use two consecutive simulation. First, we simulate U with a 3- 
counter automaton A (Proposition 3), and then simulate A with an 5-VASS V 
(Theorem 2). To be able to apply the technique described in Section 3, we make 
sure that the space complexity stays linear in the size of the input throughout 
these simulations. This implies that both the upper bound on the value of the 
counters and the required number of zero tests are polynomial in the size of the 
input, which enables us to establish a polynomial time reduction. As a result we 
obtain a VASS V which, in a certain sense, can simulate arbitrary polynomial- 
space computations. 

To provide the reduction, we then show how to transform in polynomial time 
the input of the problem we started with, the halting problem for polynomial- 
space TMs, into a zero-reachability query for V. 


5.1 The halting problem for space-bounded TMs 


The goal of this subsection is to show that there exists a fixed polynomial- 
space TM whose halting problem is PSPACE-complete. Note that using standard 
arguments, we can assume that M below always halts. 


Proposition 1 ([2, Section 4.2]). The following problem is PSPACE-complete: 
given a TM M, an input word w and a number n encoded in unary, decide if 
M accepts w in at most n space. 
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We fix some way of encoding, using an alphabet of size at least two, of Turing 
machines and we denote by |M| the length of the encoding of M, which we call 
the size of M. Given a TM M, we say that it is |M|-space-bounded if on every 
input it halts using at most |M| space. Given M, an input word w and a number 
n encoded in unary, it is easy to construct a |M|-space-bounded TM M’ such 
that if M accepts w in space at most n, then M’ accepts on the empty input, 
otherwise M’ rejects on the empty input. Moreover, the size of M’ is polynomial 
in |M], |w| and 2”. 

Indeed, M’ can be constructed as follows. When run on the empty input, it 
writes w on some tape, and then runs M treating this tape as the input tape. 
Additionally, it initialises another tape with n written in unary, and before each 
step of M it checks that the space used by the tape where M is simulated does 
not exceed n. If it does, it immediately rejects. It is easy to see that such a TM 
is |M’|-space-bounded and satisfies the required conditions. 

Hence we get that the following problem is PSPACE-complete: given a |M|- 
space-bounded TM M, does M accept on the empty input? Observe that from 
the construction above we can assume that M has a special representation such 
that the fact that it is |M|-space-bounded can be checked in polynomial time. 

Let U be a one-tape universal TM. This TM has a single read-write tape, 
which in the beginning contains the input, that is, a description of a TM M it 
is going to simulate. If M is |M|-space-bounded (and represented as mentioned 
in the previous paragraph), U simulates M on the empty input in space linear 
in |M] [2, Claim 1.6], otherwise U rejects. That is, in this space, U accepts or 
rejects depending on whether M accepts or rejects the empty word. Hence we 
get the following proposition. 


Proposition 2. There exists a fixed linear-space TM U such that the question 
whether U halts on a given input is PSPACE-complete. 


5.2 From TMs to a counter automata 


In the previous subsection, we obtained a PSPACE-complete problem which al- 
ready resembles the form of the reachability problem for a fixed counter program: 
given a fixed linear-space TM U, does it accept a given input? In this section 
we show how to simulate U with a fixed counter automaton A, and in the next 
section we show how to simulate A with a fixed binary VASS V. 

Let A be a counter automaton. We say that A is deterministic if for every 
configuration (q, n1, ...,Na) there is at most one transition that A can take from 
this configuration. Suppose that A is deterministic, and that its final state qf 
does not have any outgoing transitions. Let n = (n1,..., na) E N?. We treat A 
as an acceptor for such vectors. We say that A works in time t and space s 
on n if the unique run starting in the configuration (qo,71,...,Na) ends in a 
state without outgoing transitions, has length t, and the bit length of the largest 
value of a counter along this run is s. If this run ends in qf, we say that A 
accepts this vector, otherwise we say that it rejects it. In all our constructions 
we make sure that there are no infinite runs. Note that, as in the case of TMs, 
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we measure space complexity in the bit length of the values of the counters, and 
not in their actual values. 

Let X be a finite alphabet. Let us bijectively assign a natural number to each 
word over © as follows. First, assign a natural number between 1 and |X| to 
each symbol in ©. Then w can be considered as a number in base |=|+1, with 
the least significant digit corresponding to the first letter of w. We denote this 
number by num(w). 

Let M be a TM, and w be its input. We can transform w into a vector 
(num(w),0,...,0), which will be the input of a deterministic counter automa- 
ton A. We say that A simulates M if w is accepted by M if and only if the 
corresponding vector is accepted by A. We say that this simulation is in linear 
space if there exists a constant c such that if the space complexity of M is s on 
some input, then the space complexity of A on the corresponding input is cs. 

The proof of the following proposition uses the techniques described in the 
proofs of [10, Theorem 4.3(a)] and [12, Theorem 2.4]. 


Proposition 3. For every one-tape TM M, there exists a deterministic 3- 
counter automaton A that simulates it in linear space. 


Proof. The idea of the proof is as follows. Two counters of A, call them @ and r, 
represent the content of the tape of M to the left and to the right of the reading 
head. They are encoded similarly to the way we encode the input word. Namely, 
let wjaw2, where w1, w2 € &* and a € X, be the content of the tape at some 
moment of time, with the working head in the position of the letter a. Denote 
by wË the reversal of the word w. Then £ stores num(w!*), r stores num(w2), 
and a is stored in the finite memory of the underlying finite automaton. 

Now, to make a step to the left, we do the following. First, we need to add 
a to the end of the word encoded by the value of r. This is done by multiplying 
the value of r by |5|+1 and adding num(a) to it. Next, we need to extract the 
last letter of the word encoded by the value of £, and remove this letter. To do 
so, we do the opposite of what we did for r: this letter is the residue of dividing 
the value of £ by |©|+1, and the new value of £ is the result of this division. 

The reason we need the third counter x is to perform these multiplications 
and divisions. Namely, to divide the value of a counter £ by a constant c, we 
repeat the following until it is no longer possible: subtract c from the value of 
£ and add one to the value of x. When the value of £ becomes smaller than 
c, we get the result of the division in the counter x, and the remainder in £. 
Multiplication by a constant is done similarly. Observe that by construction the 
largest value of a counter of A at any moment of time is at most (|5|+1)°, where 
S is the maximal amount of space M uses on given input. The bit length of this 
number is linear in S, hence A simulates M in linear space. 


By simulating U from Proposition 2 with a counter automaton A, we get the 
following statement. 


Corollary 1. There exists a fixed 3-counter automaton A working in linear 
space such that the zero-reachability problem for it is PSPACE-complete. 
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For 2-counter automata, no such result is known. Informally speaking, such 
automata are exponentially slower than 3-counter automata: the known simula- 
tion requires storing the values of the three counters x,y,z as 273¥5* [20]. They 
are also less expressive: for example, 2-counter automata cannot compute the 
function 2” [24], while for 3-counter automata this is trivial. It is worth not- 
ing the developments of the next subsection imply that a lower bound for fixed 
2-counter automata translates into a lower bound for fixed 4-VASS. 


5.3 From counter automata to VASS 


To go from a counter automaton to a VASS, we need to simulate zero tests with 
a VASS. In general, this is not possible. However, the space complexity of the 
counter automaton in Corollary 1 is linear, so the values of all its counters are 
bounded by a polynomial in the bit length of the input. The number of zero tests 
A performs does not exceed its time complexity, which is at most exponential 
in the space complexity. However, this is not a problem, since all the values 
are provided and stored in binary. The bit length of the number of zero tests 
is thus polynomial in the input, and hence the testing counters described in 
Section 3 can be initialised with a polynomial time reduction, hence obtaining 
PSPACE-hardness of the zero-reachability problem in fixed 8-VASS. 

Moreover, a more advanced technique of quadratic pairs described in [7] 
allows to deduce the same result for 5-VASS. Namely, a slight variation of [7, 
Lemma 2.7] states that given a 3-counter automaton A working in linear space, 
one can construct a 5-VASS VY such that fixed zero-reachability in A can be 
reduced in polynomial time to fixed zero-reachability in V. The same reasoning 
as before shows that we can initialise the counters of V to account for enough 
zero tests. Hence we get the main result of this section. 


Theorem 2. There exists a fixed 5-VASS such that the FIXED VASS ZERO- 
REACHABILITY problem for it is PSPACE-hard assuming that the input configu- 
ration is given in binary. 


By Remark 1 and by further inspecting the construction in [7, Lemma 2.7], 
together with the PSPACE upper bound for coverability in fixed VASS with 
configurations given in binary established in [22], we moreover obtain the fol- 
lowing corollary. 


Corollary 2. There exists a fired 6-VASS such that the FIXED VASS COVER- 
ABILITY problem for it is PSPACE-complete assuming that the input configura- 
tions are given in binary. 
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Abstract. There are many evaluation strategies for term rewrite systems, 
but proving termination automatically is usually easiest for innermost 
rewriting. Several syntactic criteria exist when innermost termination 
implies full termination. We adapt these criteria to the probabilistic 
setting, e.g., we show when it suffices to analyze almost-sure termination 
(AST) w.r.t. innermost rewriting to prove full AST of probabilistic term 
rewrite systems. These criteria also apply to other notions of termination 
like positive AST. We implemented and evaluated our new contributions 
in the tool AProVE. 


1 Introduction 


Termination analysis is one of the main tasks in program verification, and 
techniques and tools to analyze termination of term rewrite systems (TRSs) 
automatically have been studied for decades. While a direct application of classical 
reduction orderings is often too weak, these orderings can be used successfully 
within the dependency pair (DP) framework [3, 20]. This framework allows for 
modular termination proofs by decomposing the original termination problem 
into sub-problems whose termination can then be analyzed independently using 
different techniques. Thus, DPs are used in essentially all current termination 
tools for TRSs (e.g., AProVE [21], MuTerm [25], NaTT [46], TTT2 [33]). To 
allow certification of termination proofs with DPs, they have been formalized in 
several proof assistants and there exist several corresponding certification tools 
for termination proofs with DPs (e.g., CeTA [43]). 

On the other hand, probabilistic programs are used to describe randomized 
algorithms and probability distributions, with applications in many areas, see, 
e.g., [23]. To use TRSs also for such programs, probabilistic term rewrite systems 
(PTRSs) were introduced in [4, 9, 10]. In the probabilistic setting, there are 
several notions of “termination”. In this paper, we mostly focus on analyzing 
almost-sure termination (AST), i.e., we want to prove automatically that the 
probability for termination is 1. 
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While there exist many automatic approaches to prove (P)AST of imperative 
programs on numbers (e.g., [2, 5, 11, 16, 22, 26-28, 36-38, 40]), there are only 
few automatic approaches for programs with complex non-tail recursive structure 
[8, 12, 13]. The approaches that are also suitable for algorithms on recursive 
data structures [7, 35, 45] are mostly specialized for specific data structures and 
cannot easily be adjusted to other (possibly user-defined) ones, or are not yet 
fully automated. 


For innermost AST (i.e., AST restricted to rewrite sequences where one 
only evaluates at innermost positions), we recently presented an adaption of 
the DP framework which allows us to benefit from a similar modularity as in 
the non-probabilistic setting [29, 32]. Unfortunately, there is no such modular 
powerful approach available for full AST (i.e., AST when considering arbitrary 
rewrite sequences). Up to now, full AST of PTRSs can only be proved via a 
direct application of orderings [4, 29], but there is no corresponding adaption of 
dependency pairs. (As explained in [29], a DP framework to analyze full instead 
of innermost AST would be “considerably more involved”.) Indeed, also in the 
non-probabilistic setting, innermost termination is usually substantially easier to 
prove than full termination, see, e.g., [3, 20]. To lift innermost termination proofs 
to full rewriting, in the non-probabilistic setting, there exist several sufficient 
criteria which ensure that innermost termination implies full termination [24]. 


Up to now no such results were known in the probabilistic setting. Our paper 
presents the first sufficient criteria for PTRSs which ensure that AST coincide for 
full and innermost rewriting, and we also show similar results for other rewrite 
strategies like leftmost-innermost rewriting. We focus on criteria that can be 
checked automatically, so we can combine our results with the DP framework 
for proving innermost AST of PTRSs [29, 32]. In this way, we obtain a modular 
powerful technique that can also prove AST for full rewriting automatically. 


We will also consider the stronger notion of positive almost-sure termination 
(PAST) [10, 42], which requires that the expected runtime is finite, and show 
that our criteria for the relationship between full and innermost probabilistic 
rewriting hold for PAST as well. In contrast to AST, PAST is not modular, i.e., 
the sequence of two programs that are PAST may yield a program that is not 
PAST (see, e.g., [27]). Therefore, up to now there is no variant of DPs that allows 
to prove PAST of PTRSs, but there only exist techniques to apply polynomial or 
matrix orderings directly [4]. 


We start with preliminaries on term rewriting in Sect. 2. Then we recapitulate 
PTRSs based on [4, 10, 14, 15, 29] in Sect. 3. In Sect. 4 we show that the properties 
of [24] that ensure equivalence of innermost and full termination do not suffice in 
the probabilistic setting and extend them accordingly. In particular, we show that 
innermost and full AST coincide for PTRSs that are non-overlapping and linear. 
This result also holds for PAST, as well as for strategies like leftmost-innermost 
evaluation. In Sect. 5 we show how to weaken the linearity requirement in order 
to prove full AST for larger classes of PTRSs. The implementation of our criteria 
in the tool AProVE is evaluated in Sect. 6. We refer to [30] for all proofs. 
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2 Preliminaries 


We assume familiarity with term rewriting [6] and regard (possibly infinite) TRSs 
over a (possibly infinite) signature X and a set of variables V. Consider the TRS 
Ra that doubles a natural number (represented by the terms s and O) with 
the rewrite rules d(s(x)) —> s(s(d(x))) and d(O) —> O as an example. A TRS R 
induces a rewrite relation >r C T (X,V) x T (XV) on terms where s >r t 
holds if there is a position 7, a rule > r € R, and a substitution o such that 
s|, = lo and t = s{ro|,. A rewrite step s >r t is an innermost rewrite step 
(denoted s >p t) if all proper subterms of the used redex @o are in normal form 
w.r.t. R (ie., they do not contain redexes themselves and thus, they cannot be 
reduced with +p). For example, we have d(s(d(s(Q)))) +r, d(s(s(s(d(©))))). 

Let < be the prefix ordering on positions and let < be its reflexive closure. 
Then for two parallel positions 7 and m we define T < a if we have i < 7 for the 
unique i, j such that x.i < T and y.j < m, where x is the longest common prefix 
of r and 7. An innermost rewrite step s +z t at position 7 is leftmost (denoted 
s yp t) if there exists no redex at a position T with T < T. 

We calla TRS R strongly (innermost/leftmost innermost) normalizing (SN / 
iSN / liSN) if >r (>r / >r) is well founded. SN is also called “terminating” 
and iSN/IiSN are called “innermost/leftmost innermost terminating” . If every 
term t € T (X, V) has a normal form (i.e., we have t >} t’ where t is in normal 
form) then we call R weakly normalizing (WN). Two terms s,t are joinable via 
R (denoted s | t) if there exists a term w such that s >h w +} t. Two rules 
lı > rı, l2 > r2 E€ R with renamed variables such that V(¢1) O V(é2) = Ø are 
overlapping if there exists a non-variable position 7 of ¢; such that @;|, and 42 
are unifiable with a mgu ø. If (4 > r1) = (€2 > r2), then we require that 7 Æ €. 
R is non-overlapping (NO) if it has no overlapping rules. As an example, the 
TRS Rg is non-overlapping. A TRS is left-linear (LL) (right-linear, RL) if every 
variable occurs at most once in the left-hand side (right-hand side) of a rule. A 
TRS is linear if it is both left- and right-linear. A TRS is non-erasing (NE) if in 
every rule, all variables of the left-hand side also occur in the right-hand side. 

Next, we recapitulate the relations between iSN, SN, liSN, and WN in the 
non-probabilistic setting. We start with the relation between iSN and SN. 


Counterecample 1 (Toyama’s Countererample [44]). The TRS Ry with the rules 
f(a, b,x) > f(a,2,x), g > a, and g —> b is not SN since we have f(a,b,g) >R, 
f(g, 8,8) >r, f(a,g,g) >r, f(a,b,g) >, ... But the only innermost rewrite 
sequences starting with f(a,b,g) are f(a,b,g) >r, f(a,b,a) >r, f(a,a,a) and 
f(a,b,g) >r, f(a,b,b) +r, f(b, b,b), i.e., both reach normal forms in the end. 
Thus, Rı is iSN as we have to rewrite the inner g before we can use the f-rule. 


The first property known to ensure equivalence of SN and iSN is orthogonality. 
A TRS is orthogonal if it is non-overlapping and left-linear. 


Theorem 2 (From iSN to SN (1), [41]). Ifa TRS R is orthogonal, then R 
is SN iff R is iSN. 


Then, in [24] it was shown that one can remove the left-linearity requirement. 
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Theorem 3 (From iSN to SN (2), [24]). Ifa TRS R is non-overlapping, 
then R is SN iff R is iSN. 


Finally, [24] also refined Thm. 3 further. A TRS R is an overlay system (OS) 
if its rules may only overlap at the root position, i.e., 7 = £. For Ex. 1 one can see 
that the overlaps occur at non-root positions, i.e., Rı is not an overlay system. 
Furthermore, a TRS is locally confluent (or weakly Church-Rosser, abbreviated 
WCR) if for all terms s,t),t2 such that ti p+ S >r te the terms tı and tz are 
joinable. So Rı is not WCR, as we have f(a,b,a) R, 4 f(a,b,g) +r, f(a, b,b), 
but f(a, b,a) ¢ pr, f(a, b,b). Ifa TRS has both of these properties, then iSN and 
SN are again equivalent. 


Theorem 4 (From iSN to SN (3), [24]). Ifa TRS R is a locally confluent 
overlay system, then R is SN iff R is iSN. 


Thm. 4 is stronger than Thm. 3 as every non-overlapping TRS is a locally 
confluent overlay system. We recapitulate the relation between WN and SN next. 


Counterexample 5. Consider the TRS Rə with the rules f(x) > b and a > f(a). 
This TRS is not SN since we can always rewrite the inner a to get a >R, 
f(a) >r, f(f(a)) +R, ..., but it is WN since we can also rewrite the outer f(...) 
before we use the a-rule twice, resulting in the term b, which is a normal form. 
For the TRS Rz with the rules f(a) > b and a —> f(a), the situation is similar. 


The TRS Rə from Ex. 5 is erasing and R3 is overlapping. For TRSs with 
neither of those two properties, SN and WN are equivalent. 


Theorem 6 (From WN to SN [24]). Ifa TRS R is non-overlapping and 
non-erasing, then R is SN iff R is WN. 


Finally, we look at the difference between rewrite strategies that use an 
ordering for parallel redexes like leftmost innermost rewriting compared to just 
innermost rewriting. It turns out that such an ordering does not interfere with 
termination at all. 


Theorem 7 (From liSN to iSN [34]). For all TRSs R we have that R is 
iSN iff R is USN. 


The relations between the different properties for non-probabilistic TRSs 
(given in Thm. 4, 6, and 7) are summarized below. 


OS + WCR NO+NE 


liSN 4> iSN SN WN 
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3 Probabilistic Term Rewriting 


In this section, we recapitulate probabilistic TRSs [4, 10, 29]. In contrast to TRSs, 
a PTRS has finite multi-distributions! on the right-hand sides of its rewrite rules.” 
A finite multi-distribution u on a set A # Ø is a finite multiset of pairs (p : a), 
where 0 < p < 1 is a probability and a € A, such that DE = 1. FDist(A) 
is the set of all finite multi-distributions on A. For u € FDist(A), its support is 
the multiset Supp() = {a | (p : a) € u for some p}. A probabilistic rewrite rule 
is a pair l > u E€ T (XV) x FDist(7 (X, V)) such that £ ¢ V and V(r) C V(2) 
for every r € Supp(). A probabilistic TRS (PTRS) is a (possibly infinite) set S 
of probabilistic rewrite rules. Similar to TRSs, the PTRS S induces a rewrite 
relation >s C T (XV) x FDist(T (2',V)) where s >s {p1 : ti,...,pr : tk} if 
there is a position 7, a rule  —> {p1 :11,...,pe : rk} E S, and a substitution 
o such that s|; = fo and tj = = s[r; o|, for all 1 < j < k. We call s >s u an 
innermost rewrite step (denoted s >s p) if all proper subterms of the used redex 
éo are in normal form w.r.t. S. We have s ys u if the rewrite step s >s u at 
position 7 is leftmost (i.e., there is no redex at a position T with T < 7). For 
example, the PTRS Sw with the only rule g > {1/2 : c(g, g), 1/2: L} corresponds 
to a symmetric random walk on the number of g-symbols in a term. 

As in [4, 14, 15, 29], we lift —s to a rewrite relation between multi-distributions 
in order to track all probabilistic rewrite sequences (up to non-determinism) at 
once. For any 0 < p < 1 and any u € FDist(A), let p- u = {(p-q: a) | (q:a) € u}. 


Definition 8 (Lifting). The lifting 3 C FDist(T (X, V)) x FDist(7 (X, V)) 
of a relation + C T (X, V) x FDist(T (X, V)) is the smallest relation with: 


e IftET(X,V) is in normal form w.r.t. >, then {1 : t} = {1: t}. 

e Ift— u, then {1:t} 3 u. 

e If for alll < j < k there are uj, vj € FDist(T (X, V)) with uj = vj and 
0< pj <1 with Ð icjcp Pj = 1, then Urcjen Pi Hi B Uicjek Pi Yi. 


For a PTRS S, we write 45, 5, and tg for the liftings of >s, >s, and 5s, 
respectively. 


Example 9. For example, we obtain the following =3s„-rewrite sequence (which 
is also a 3s„-sequence, but not a = -sequence). 


{1:g} 
su {1/2 : c(g, 
55 {1/4 : c(c( 
35 {1/8 : c(c( 


g), 1/2: L} 
c(g, 8), g), 1/4 : c(1,g), 1/2: L} 
g: 8), c(g,8)); 1/8 : c(c(g, g), L), 1/8 : c(L, c(g, g)), 1/8 : c(1,1), 1/2: L} 


1 The restriction to finite multi-distributions allows us to simplify the handling of 
PTRSs in the proofs. 

2 A different form of probabilistic rewrite rules was proposed in PMaude [1], where 
numerical extra variables in right-hand sides of rules are instantiated according to a 
probability distribution. 
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To express the concept of almost-sure termination, one has to determine the 
probability for normal forms in a multi-distribution. 


Definition 10 (|u\|s). For a PTRS S, NFs C T (XV) denotes the set of all 
normal forms w.r.t. S. For any u € FDist(T (2,V)), let |uls = Di (pt)en,tenrs P- 


Example 11. Consider {1/8 : c(c(g, g),c(g,g)), 1/8 : c(c(g,g), L), 1/8 : c(1, c(g,g)), 
1/8 : c( L, L), 1/2 : L} = u from Ex. 9. Then |uls„ = 1/8 + 1/2 = 5/8, since c(L, L) 
and L are both normal forms w.r.t. Sw- 


Definition 12 (AST). Let S be a PTRS and fi = (un)nen be an infinite 

gs-rewrite sequence, i.e., Un Ss Hn+1 for alln € N. We say that fi converges 

with probability lim |un|s. S is almost-surely terminating (AST) (innermost 
noo 


AST (iAST) / leftmost innermost AST (liAST)) if lim |un|s = 1 holds for 


every infinite 3s- (4s- / =ts-) rewrite sequence (un)nen. To highlight the 
consideration of AST for full (instead of innermost) rewriting, we also speak 
of full AST (fAST) instead of “AST”. We say that S is weakly AST (wAST) 
if for every term t there exists an infinite 3s-rewrite sequence (Hn)nen with 
Jim, |un|s =1 and uo = {1 : t}. 


Example 13. For every infinite extension (fin )nen of the =&s„-rewrite sequence 
in Ex. 9, we have lim |un|s = 1. Indeed, S,w is FAST and thus also iAST, liAST, 
noo 


and wAST. 


Next, we define positive almost-sure termination that considers the expected 
derivation length edl(ji) of a rewrite sequence ği, i.e., the expected number of 
steps until one reaches a normal form. For PAST, we require that the expected 
derivation lengths of all possible rewrite sequences are finite. In the following 
definition, (1 — |un|s) is the probability of terms that are not in normal form 
w.r.t. S after the n-th step. 


Definition 14 (edl, PAST). Let S be a PTRS and fi = (Un) nen be an infinite 
Ss-rewrite sequence. By edl(ji) = X p_o(1—l|un|s) we denote the expected deriva- 
tion length of ji. S is positively almost-surely terminating (PAST) (innermost 
PAST (iPAST) / leftmost innermost AST (liPAST)) if edl(jz) is finite for every 
infinite 3s- (s- / =ts-) rewrite sequence ji = (Un)nen-? Again, we also speak 
of full PAST (fPAST) when considering PAST for the full rewrite relation 3s. 
We say that S is weakly PAST (wPAST) if for every term t there exists an infinite 
=s-rewrite sequence fi = (Hn)nen such that edl(ji) is finite and po = {1 : t}. 


It is well known that PAST implies AST, but not vice versa. 


Example 15. For every infinite extension fi = (Un)nen of the =¢g.,-rewrite se- 
quence in Ex. 9, the expected derivation length edl(/2) is infinite, hence Sw is 
not PAST w.r.t. any of the strategies regarded in this paper. 


3 This definition is from [4], where it is also explained why this definition of PAST is 
equivalent to the one of, e.g., [10]. 
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In [4, 18], PAST was strengthened further to bounded or strong almost-sure 
termination (SAST). Indeed, our results on PAST can also be adapted to SAST 
(see [30]). 

Many properties of TRSs from Sect. 2 can be lifted to PTRSs in a straight- 
forward way: A PTRS S is right-linear (non-erasing) iff the TRS {0 > r | L> 
u E S,r E€ Supp(u)} has the respective property. Moreover, all properties that 
just consider the left-hand sides, e.g., left-linearity, being non-overlapping, or- 
thogonality, and being an overlay system, can be lifted to PTRSs directly as well, 
since their rules again only have a single left-hand side. 


4 Relating Variants of AST 


Our goal is to relate AST of full rewriting to restrictions of fAST, i.e., to iAST 
(Sect. 4.1), wAST (Sect. 4.2), and liAST (Sect. 4.3). More precisely, we want to 
find properties of PTRSs which are suitable for automated checking and which 
guarantee that two variants of AST are equivalent. Then for example, we can 
use existing tools that analyze iAST in order to prove fAST. Clearly, we have 
to impose at least the same requirements as in the non-probabilistic setting, as 
every TRS R can be transformed into a PTRS S by replacing every rule £ > r 
with £ —> {1 : r}. Then R is SN / iSN / liSN iff S is fAST / iAST / LAST. While 
we mostly focus on AST, all results and counterexamples in this section also hold 
for PAST. 


4.1 From iAST to fAST 


Again, we start by analyzing the relation between iAST and fAST. The following 
example shows that Thm. 2 does not carry over to the probabilistic setting, i.e., 
orthogonality is not sufficient to ensure that iAST implies fAST. 


Countererample 16 (Orthogonality Does Not Suffice). Consider the orthogonal 
PTRS Sı with the two rules: 


g > {3/4: d(g), 1/4: L} d(x) > {1 : c(x,x)} 


This PTRS is not fAST (and thus, also not fPAST), as we have {1 : g} 33, 
{3/4 : c(g,g), 1/4 : L}, which corresponds to a random walk biased towards 
non-termination (since ł > $). 

However, the d-rule can only duplicate normal forms in innermost evaluations. 


To see that Sı is iPAST (and thus, also iAST), consider the following rewrite 
sequence ji: 
{1 : g} Ss {3/4 : d(g), 1/4: L} s, {(9/4)? : d(d(g)), 1/4 3/4 : d(L), Y4: L} Ssi ~- 


We can also view this rewrite sequence as a tree: 
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The branch to the right that starts with L stops after 0 innermost steps, the 

branch that starts with d(L) stops after 1 innermost steps, the branch that starts 

with d(d(L)) stops after 2 innermost steps, and so on. So if we start with the 

term d”(L), then we reach a normal form after n steps, and we reach d”(1) after 

n + 1 steps from the initial term g, where d”(L) = d(...(d(1L))...). Hence, for 
SS 


n-times 
every k € N we have |y2-n41\s, = |uz2r+2lsı = Doe» 1/4- (3/4)” and thus 
edl(//) = Droll z |Hnls:) =1+2. Xren! = |u2k+1ls1) 


=1+2. S renl! = paa 1/4. (3/4)")=1+2. Vea 
= (2; Vpen(?/4)*) - 1 =7 


Analogously, in all other innermost rewrite sequences, the d-rule can also only 
duplicate normal forms. Thus, all possible innermost rewrite sequences have finite 
expected derivation length. Therefore, Sı is iPAST and thus, also iAST. The 
latter can also be proved automatically by our implementation of the probabilistic 
DP framework for iAST [29] in AProVE. 


To construct a counterexample for AST of S1, we exploited the fact that Sı 
is not right-linear. Indeed, requiring right-linearity yields our desired result. For 
reasons of space, here we only give a proof sketch. As mentioned, all full proofs 
can be found in [30]. 


Theorem 17 (From iAST/iPAST to fAST/fPAST (1)). Ifa PTRS S is 


orthogonal and right-linear (i.e., non-overlapping and linear), then: 


S is [AST => S is iAST 
S is fPAST <=> S is iPAST 


Proof Sketch. We only have to prove the non-trivial direction “<=”. The proofs 
for all theorems in this section (for both AST and PAST) follow a similar structure. 
We always iteratively replace rewrite steps by steps that use the desired strategy 
and ensure that this does not increase the probability of termination (resp. the 
expected derivation length). For this replacement, we lift the corresponding 
construction from the non-probabilistic to the probabilistic setting. However, this 
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cannot be done directly but instead, we have to regard the “limit” of a sequence 
of transformation steps. 

We first consider fAST and iAST. Let S be a PTRS that is non-overlapping, 
linear, and not fAST. Thus, there exists an infinite rewrite sequence {i = (Un)nen 
such that limno |tin|s = c for some c € R with 0 < c < 1. Our goal is to 
transform this sequence into an innermost sequence that converges at most with 
probability c. If the sequence is not yet an innermost one, then in (Un)nen at 
least one rewrite step is performed with a redex that is not an innermost redex. 
Since S is non-overlapping, we can replace a first such non-innermost rewrite 
step with an innermost rewrite step using a similar construction as in the non- 


probabilistic setting. In this way, we result in a rewrite sequence fi) = (i wen 


with limn oo uP |s = limn |Hn|s = c. Here, linearity is needed to ensure that 
the probability of termination does not increase during this replacement. We can 
then repeat this replacement for every non-innermost rewrite step, i.e., we again 
replace a first non-innermost rewrite step in (We?) nen to obtain Win wen with 
the same termination probability, etc. In the end, the limit of all these rewrite 
sequences lim;_+o6 (uẸ EN is an innermost rewrite sequence that converges with 
probability at most c < 1, and hence, the PTRS S is not innermost AST. 

For fPAST and iPAST, we start with an infinite rewrite sequence f such 
that edl(ji) = oo. Again, we replace the first non-innermost rewrite step with 
an innermost rewrite step using exactly the same construction as before to 
obtain ff“), etc., since @“ does not only have the same termination proba- 
bility as ji, but we also have edl(ji)) > edl(ji). In the end, the limit of all 
these rewrite sequences lim;_,., i is an innermost rewrite sequence such that 
edl(limj_soo fi) > edl (ji) = 00, and hence, the PTRS S is not innermost PAST. 


One may wonder whether we can remove the left-linearity requirement from 
Thm. 17, as in the non-probabilistic setting. It turns out that this is not possible. 


Countererample 18 (Left-Linearity Cannot be Removed). Consider the PTRS S2 
with the rules: 


f(x,x)—> {1: f(a,a)} a— {1/2 : b, 1/2 : c} 


S2 is not [AST (hence also not fPAST), since {1 : f(a,a)} 3s, {1 : f(a,a)} Ss, ... 
is an infinite rewrite sequence that converges with probability 0. However, it 
is iPAST (and hence, iAST) since the corresponding innermost sequence has 
the form {1 : f(a,a)} 3s, {5 : f(b,a), $ : f(c,a)} 3s, {4 : f(b, b), 4 : f(b,c), 4 : 
f(c, b), $ : f(c, c)}. Here, the last distribution contains two normal forms f(b, c) 
and f(c, b) that did not occur in the previous rewrite sequence. Since all innermost 
rewrite sequences keep on adding such normal forms after a certain number of 
steps for each start term, they always have finite expected derivation length and 
thus, converge with probability 1 (again, iAST can be shown automatically by 
AProVE). Note that adding the requirement of being non-erasing would not help 
to get rid of the left-linearity either, as shown by the PTRS S3 which results 
from Sz by replacing the f-rule with f(x, 7) > {1 : d(f(a,a), £)}. 
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The problem here is that although we rewrite both occurrences of a with the 
same rewrite rule, the two a-symbols are replaced by two different terms (each 
with a probability > 0). This is impossible in the non-probabilistic setting. 

Next, one could try to adapt Thm. 4 to the probabilistic setting (when 
requiring linearity in addition). So one could investigate whether iAST implies 
fAST for PTRSs that are linear locally confluent overlay systems. A PTRS S is 
locally confluent if for all multi-distributions 4, 41, H2 such that wy Hs ws H2, 
there exists a multi-distribution y’ such that yı 3% py! Œ% u2, see [14]. Note 
that in contrast to the probabilistic setting, there are non-overlapping PTRSs 
that are not locally confluent (e.g., the variant S4 of S2 that consists of the 
rules f(x, x) + {1 : d} and a > {1/2 : b, 1/2: c}, since we have {1 : d} &s; {1 : 
f(a,a)} 3s; {1/2 : f(b, a), 1/2 : f(c,a)} and the two resulting multi-distributions 
are not joinable). Thus, such an adaption of Thm. 4 would not subsume Thm. 17. 

In contrast to the proof of Thm. 2, the proof of Thm. 4 relies on a minimality 
requirement for the used redex. In the non-probabilistic setting, whenever a term 
t starts an infinite rewrite sequence, then there exists a position m of t such 
that there is an infinite rewrite sequence of t starting with the redex t|,,, but no 
infinite rewrite sequence of t starting with a redex at a position T > m which 
is strictly below 7. In other words, if t starts an infinite rewrite sequence, then 
there is a “minimal” infinite rewrite sequence starting in t, i.e., as soon as one 
reduces a proper subterm of one of the redexes in the sequence, then one obtains 
a term which is terminating. However, such minimal infinite sequences do not 
always exist in the probabilistic setting. 


Example 19 (No Minimal Infinite Rewrite Sequence for AST). Reconsider the 
PTRS Sı from Ex. 16, which is not FAST. However, there is no “minimal” rewrite 
sequence with convergence probability < 1 such that one rewrite step at a proper 
subterm of a redex would modify the multi-distribution in such a way that now 
only rewrite sequences with convergence probability 1 are possible. We have 
{1 : g} Ss, {3/4 : d(g), 1/4: L}. In Ex. 16, we now alternated between the d- and 
the g-rule, resulting in a biased random walk, i.e., we obtained {3/4 : d(g), 1/4 : 
L} 3s {3/4 ; c(g, 8), 1/4 : L} 3s {3/4 . c(d(g), g), 1/4 : L} 3s, ... The steps 
with the d-rule use redexes that have g as a proper subterm. 

However, there does not exist any “minimal” non-fAST sequence. If we rewrite 
the proper subterm g of a redex d(g), then this still yields a multi-distribution that 
is not fAST, i.e., it can still start a rewrite sequence with convergence probability 
< 1. For example, we have {3/4 : d(g), 1/4 : L} 2s, {(3/4)? : d(d(g)), 1/4 - 3/4 : 
d(L), 1/4 : L}, but the obtained multi-distribution still contains the subterm 
g, and thus, one can still continue the rewrite sequence in such a way that its 
convergence probability is < 1. Again, the same example also shows that there is 
no “minimal” non-fPAST sequence. 


It remains open whether one can also adapt Thm. 4 to the probabilistic setting 
(e.g., if one can replace non-overlappingness in Thm. 17 by the requirement of 
locally confluent overlay systems). There are two main difficulties when trying 
to adapt the proof of this theorem to PTRSs. First, the minimality requirement 
cannot be imposed in the probabilistic setting, as discussed above. In the non- 
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probabilistic setting, this requirement is needed to ensure that rewriting below a 
position that was reduced in the original (minimal) infinite rewrite sequence leads 
to a strongly normalizing rewrite sequence. Second, the original proof of Thm. 4 
uses Newman’s Lemma [39] which states that local confluence implies confluence 
for strongly normalizing terms t, and thus it implies that t has a unique normal 
form. Local confluence and adaptions of the unique normal form property for the 
probabilistic setting have been studied in [14, 15], which concluded that obtaining 
an analogous statement to Newman’s Lemma for PTRSs that are AST (or PAST) 
would be very difficult. The reason is that one cannot use well-founded induction 
on the length of a rewrite sequence of a PTRS that is AST (or PAST), since 
these rewrite sequences may be infinite. 


4.2 From wAST to fAST 


Next, we investigate wAST. Since iAST implies wAST, we essentially have the 
same problems as for innermost AST, i.e., in addition to non-overlappingness, 
we need linearity, as seen in Ex. 16 and 18, as S; and S3 are iAST (and hence 
wAST) but not fAST, while they are non-overlapping and non-erasing, but not 
linear. Furthermore, we need non-erasingness as we did in the non-probabilistic 
setting for the same reasons, see Ex. 5. 


Theorem 20 (From wAST/wPAST to fAST/fPAST). Ifa PTRS S is 
non-overlapping, linear, and non-erasing, then 
S is [AST => S is wAST 
S is fPAST => S is wPAST 


4.3 From liAST to fAST 


Finally, we look at leftmost-innermost AST as an example for a rewrite strategy 
that uses an ordering for parallel redexes. In contrast to the non-probabilistic 
setting, it turns out that AST and iAST are not equivalent in general. The 
counterexample is similar to Ex. 18, which illustrated that [AST and iAST are 
not equivalent without left-linearity. 


Counterexample 21. Consider the PTRS S4 with the five rules: 


b> {1/2 : dı, 1/2 P d2} 
fandia 
fe) a eb 


This PTRS is not iAST (and hence not iPAST) since there exists the infi- 
nite rewrite sequence {1 : f(a, b)} 5, {1/2: f(a, d1), 1/2 : f(a, d2)} =e, {1/2 : 
f(c1, d1), 1/2: f(co,d2)} 3%, {1/2 : f(a, b), 1/2 : f(a, b)} Ss, ..., which converges 
with probability 0. It first “splits” the term f(a,b) with the b-rule, and then 
applies one of the two different a-rules to each of the resulting terms. In contrast, 
when applying a leftmost innermost rewrite strategy, we have to decide which 
a-rule to use. For example, we have {1 : f(a,b)} 3s, {1 : f(c1,b)} Ss, {1/2 : 
f(c1, d1), 1/2 : f(c1,d2)}. Here, the second term f(c;,d2) is a normal form. Since 


a>{l:a} 
a {1: c2} 
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all leftmost innermost rewrite sequences keep on adding such normal forms after 
a certain number of steps for each start term, the PTRS is liAST (and also 
liPAST). 


The counterexample above can easily be adapted to variants of innermost 
rewriting that impose different orders on parallel redexes like, e.g., rightmost 
innermost rewriting. 

However, liAST and iAST are again equivalent for non-overlapping TRSs. For 
such TRSs, at most one rule can be used to rewrite at a given position, which 
prevents the problem illustrated in Ex. 21. 


Theorem 22 (From liAST/1iPAST to iAST/iPAST). Ifa PTRS S is 
-overlapping, th 
sO eas ae S is iAST <=> S is iAST 
S is iPAST 4> S is iPAST 


The relations between the different properties for AST of PTRSs (given in 
Thm. 17, 20, and 22) are summarized below. An analogous figure also holds for 
PAST. 


NO NO+LL+RL NO+LL+RL+NE 
liAST iAST fAST wAST 


œ = 


5 Improving Applicability 


In this section, we improve the applicability of Thm. 17, which relates [AST and 
iAST. The results of Sect. 5.1 allow us to remove the requirement of left-linearity 
by modifying the rewrite relation to simultaneous rewriting. Then in Sect. 5.2 we 
show that the requirement of right-linearity can be weakened to spareness if one 
only considers rewrite sequences that start with basic terms. 


5.1 Removing Left-Linearity by Simultaneous Rewriting 


First, we will see that we do not need to require left-linearity if we allow the 
simultaneous reduction of several copies of identical redexes. For a PTRS S, this 
results in the notion of simultaneous rewriting, denoted +g. While =s over- 
approximates >s, existing techniques for proving iAST [29, 32] (except for the 
rewriting processor*) do not distinguish between both notions of rewriting, i.e., 
these techniques even prove that every rewrite sequence with the lifting s of 
=s converges with probability 1. So for non-overlapping and right-linear PTRSs, 
these techniques can be used to prove innermost almost-sure termination w.r.t. 


* This processor is an optional transformation technique which was added in [32] when 
improving the DP framework further since it sometimes helps to increase power, but 
all other (major) DP processors do not distinguish between >s and => s. 
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>s, which then implies fAST. The following example illustrates our approach 
for handling non-left-linear PTRSs by applying the same rewrite rule at parallel 
positions simultaneously. 


Example 23 (Simultaneous Rewriting). Reconsider the PTRS S2 from Ex. 18 
with the rules f(x, x) > {1 : f(a,a)} and a > {1/2 : b, 1/2: c} which is iAST, but 
not fAST. Our new rewrite relation 3.5, allows us to reduce several copies OF 
the same ioe simultaneously, so that we get {1 : f(a,a)} “35, {4 : f(b, b), 4 

f(c,c)} 3%, {1/2 : f(a, a), 1/2 : f(a,a)}, i.e., this +3 5,-Sequence converges with 
probability 0 and thus, S2 is not iAST ent >—> s. Note that we simultaneously 
reduced both occurrences of a in the first step. 


Definition 24 (Simultaneous Rewriting). Let S be a PTRS. A term s 


rewrites simultaneously to a multi-distribution u = {p1 :t1,...,pk : tk} (denoted 
s >—>s u) if there is a non-empty set of parallel positions IT, a rule € + {pi : 
T1,+--,Dei Tk} E S, and a substitution o such that s|, = lo and t; = s|rjo]r 


for every position n € II and for all 1 < j < k. We call sg u an innermost 
simultaneous rewrite step (denoted s >> 5 u) if all proper subterms of the redex 
lo are in normal form w.r.t. S. 


Clearly, if the set of positions IT from Def. 24 is a singleton, then the resulting 
simultaneous rewrite step is an “ordinary” probabilistic rewrite step, i.e., =s C 
>s and >s = 49. 
Corollary 25 (From >s to >s). IfS is fAST (AST) w.r.t. =s, i.e., every 
infinite > s- (resp. 3 s-) rewrite sequence converges with probability L, then 
S is fAST (iAST). Analogously, if S is fPAST (iPAST) w.r.t. — 5, i.e., every 


infinite s- (resp. -3s-) rewrite sequence has finite expected derivation length, 
then S is fPAST (iPAST). 


However, the converse of Cor. 25 does not hold. Ex. 23 shows that =s allows 
for rewrite sequences that are not possible with +g, and the following example 
shows the same for —>s5 and >s. 


Counterecample 26. Consider the PTRS Sə with the three rules: 
f(b, b) > {1: f(a,a)} 
f(c,c) + {1: f(a,a)} 


This fae is f[AST. But as in Ex. 23, we have {1 : f(a,a)} = {4 : f(b, b), 5: 
f(c,c)} 34 5, 1/2 : f(a,a), 1/2 : f(a,a)}, i.e., there are rewrite sequences with 


a > {1/2 : b, 1/2 : c} 


= and hus, also with 3-35, that converge with probability 0. Hence, S2 is 
not iAST or fAST w.r.t. 35,. Again, the same example also shows that {PAST 
and fPAST w.r.t. simultaneous rewriting are not equivalent either. 


Note that this kind of simultaneous rewriting is different from the “ordinary” 
parallelism used for non-probabilistic rewriting, which is typically denoted by 
—. There, one may reduce multiple parallel redexes in a single rewrite step. 
Here, we do not only allow reducing multiple redexes, but in addition we “merge” 
the corresponding terms in the multi-distributions that result from rewriting 
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the different redexes. Because of this merging, we only allow the simultaneous 
reduction of equal redexes, whereas “ordinary” parallel rewriting allows the 
simultaneous reduction of arbitrary parallel redexes. For example, for Sz from 
Ex. 18 we have {1 : f(a,a)} 3s, {4 : f(b,b), 4 : f(c,c)}, whereas using ordinary 
parallel rewriting we would get {1 : f(a,a)} ts, {4 : f(b,b), 4 : f(b,c), 4: 
f(c, b), £ : f(c, c)}- 

The following theorem shows that indeed, we do not need to require left- 
linearity when moving from iAST/iPAST w.r.t. —s to f[AST/fPAST w.r.t. >s. 


Theorem 27 (From iAST/iPAST to fAST/fPAST (2)). Ifa PTRS S is 
non-overlapping and right-linear, then 


S is fAST <= S is iAST w.r.t. — 5s 
S is [PAST <= S is iPAST w.r.t. =s 


Proof Sketch. We use an analogous construction as for the proof of Thm. 17, but 
in addition, if we replace a non-innermost rewrite step by an innermost one, then 
we check whether in the original rewrite sequence, the corresponding innermost 
redex is “inside” the substitution used for the non-innermost rewrite step. In 
that case, if this rewrite step applied a non-left-linear rule, then we identify all 
other (equal) innermost redexes and use >>s to rewrite them simultaneously (as 
we did for the innermost redex a in Ex. 23). 


Note that Ex. 26 shows that the direction “ => ” does not hold in Thm. 27. 
The following example shows that right-linearity in Thm. 27 cannot be weakened 
to the requirement that S is non-duplicating (i.e., that no variable occurs more 
often in a term on the right-hand side of a rule than on its left-hand side). 


Countererample 28 (Non-Duplicating Does Not Suffice). Let d(f(a,a)*) abbreviate 
d(f(a, a), f(a, a), f(a, a)). Consider the PTRS Ss with the four rules: 


f(a,x) > {1: g(a, x)} g(b,c) > {1 : d(f(a,a)?)} 
a > {1/2 : b, 1/2: c} g(c, b) > {1 : d(f(a,a)’)} 
Ss is not fAST (and thus, also not fPAST), since the infinite rewrite sequence 
{1 : f(a,a)} Ss, {1 : g(a,a)} =, {1/4 : g(b, b), 1/4 : g(b,c), 1/4 : g(c, b), 1/4 : 
g(c,c)} 33, {1/4 : g(b, b), 1/4 : d(f(a, a)?), 1/4 : d(f(a, a)*), 1/4 : g(c,c)} can be seen 
as a biased random walk on the number of f(a,a)-subterms that is not AST. 
However, for every innermost evaluation with 5s, ores s, we have to rewrite 
the inner a-symbols first. Afterwards, the f-rule can only be used on redexes 
f(t,t) where the resulting term g(t,t) is a normal form. Thus, Ss is iPAST (and 
hence, iAST) w.r.t. > s,- 


Note that for wAST, the direction of the implication in Cor. 25 is reversed, 
since wAST requires that for each start term, there exists an infinite rewrite 
sequence that is almost-surely terminating, whereas fAST requires that all infinite 
rewrite sequences are almost-surely terminating. Thus, if there exists an infinite 
=<ts-rewrite sequence that converges with probability 1 (showing that S is wAST), 
then this is also a valid %3 s-rewrite sequence that converges with probability 1 
(showing that S is wAST w.r.t. =s). 
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Corollary 29 (From >s to =s for wAST/wPAST). If S is wAST 
(wPAST), then S is wAST (wPAST) w.r.t. =s. 


One may wonder whether simultaneous rewriting could also be used to improve 
Thm. 20 by removing the requirement of left-linearity, but Ex. 30 shows this is 
not possible. 


Counterexample 30. Consider the non-left-linear PTRS Sg with the two rules: 


g > {3/4: d(g,g), 1/4: L} d(x, x) > {1: a} 


This PTRS is not fAST (and thus, also not fPAST), as we have {1 : g} Ss, 
{3/4 : d(g,g),1/4 : L}, which corresponds to a random walk biased towards 
non-termination if we never use the d-rule (since 3 > i), However, if we always 
use the d-rule directly after the g-rule, then we essentially end up with a PTRS 
whose only rule is g > {3/4 : c(g), 1/4 : L}, which corresponds to flipping a biased 
coin until heads comes up. This proves that Sg is wPAST and hence, also wAST. 
As Sg is non-overlapping, right-linear, and non-erasing, this shows that a variant 
of Thm. 20 without the requirement of left-linearity needs more than just moving 
to simultaneous rewriting. 


5.2 Weakening Right-Linearity to Spareness 


To improve our results further, we introduce the notion of spareness. The idea 
of spareness is to require that variables which occur non-linear in right-hand 
sides may only be instantiated by normal forms. We already used spareness 
for non-probabilistic TRSs in [17] to find classes of TRSs where innermost and 
full runtime complexity coincide. For a PTRS S, we decompose its signature 
X = Xc Y Xp such that f € Xp iff f = root() for some rule £ > u € S. The 
symbols in Xc and Xp are called constructors and defined symbols, respectively. 


Definition 31 (Spareness). Let l —> u E€ S. A rewrite step lo >s po is 
spare if a(x) is in normal form w.r.t. S for every x € V that occurs more than 
once in some r € Supp(u). A —s-sequence is spare if each of its + s-steps is 
spare. S is spare if each =s-sequence that starts with {1 : t} for a basic term t 
is spare. A term t E€ T (X, V) is basic if t = f(ti,...,tn) such that f € Xp and 
ti € T (Xc,V) for alll <i<n. 


Example 32. Consider the PTRS Sy with the two rules: 
g > {3/4 : d(L), 1/4: g} d(x) => {1 : c(x,x)} 


It is similar to the PTRS Sı from Ex. 16, but we exchanged the symbols g and 
L in the right-hand side of the g-rule. This PTRS is orthogonal but duplicating 
due to the d-rule. However, in any rewrite sequence that starts with {1 : t} for 
a basic term t we can only duplicate the constructor symbol L but no defined 
symbol. Hence, Sy is spare. 
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In general, it is undecidable whether a PTRS is spare, since spareness is 
already undecidable for non-probabilistic TRSs. However, there exist computable 
sufficient conditions for spareness, see [17]. 

If a PTRS is spare, and we start with a basic term, then we will only duplicate 
normal forms with our duplicating rules. This means that the duplicating rules 
do not influence the (expected) runtime and, more importantly for AST, the 
probability of termination. As in [17], which analyzed runtime complexity, we 
have to restrict ourselves to rewrite sequences that start with basic terms. So 
we only consider start terms where a single algorithm is applied to data, i.e., 
we may not have any nested defined symbols in our start terms. This leads to 
the following theorem, where “on basic terms” means that one only considers 
rewrite sequences that start with {1 : t} for a basic term t. It can be proved by 
an analogous limit construction as in the proof of Thm. 17. 


Theorem 33 (From iAST/iPAST to fAST/fPAST (3)). Ifa PTRS S is 
orthogonal and spare, then 


S is fAST on basic terms = S is iAST on basic terms 
S is fPAST on basic terms <> S is iPAST on basic terms 


While iAST on basic terms is the same as iAST in general, the requirement 
of basic start terms is real restriction for fAST, i.e., there exists PTRSs that are 
fAST on basic terms, but not fAST in general. 


Countererample 34. Consider the PTRS Sg with the two rules: 
g > {3/4 : s(g), 1/4: L} f(s(x)) => {1 : c(f(x), f(x))} 


This PTRS behaves similarly to Sı (see Ex. 16). It is not fAST (and thus, also 
not fPAST), as we have {1 : f(g)} 33, {3/4 : c(f(g), f(g)), 1/4 : f(L)}, which 
corresponds to a random walk biased towards non-termination (since ł > 4). 
However, the only basic terms for this PTRS are g and f(t) for terms t that 
do not contain g or f. A sequence starting with g corresponds to flipping a biased 
coin and a sequence starting with f(t) will clearly terminate. Hence, Sg is FAST 
(and even fPAST) on basic terms. Furthermore, note that Sg is iPAST (and thus, 
also iAST) analogous to Sı. This shows that Thm. 33 cannot be extended to 


fAST or fPAST in general. 


One may wonder whether Thm. 33 can nevertheless be used in order to prove 
fAST of a PTRS S on all terms by using a suitable transformation from S to 
another PTRS S’ such that S is [AST on all terms iff S’ is [AST on basic terms. 

There is an analogous difference in the complexity analysis of non-probabilistic 
term rewrite systems. There, the concept of runtime complexity is restricted to 
rewrite sequences that start with a basic term, whereas the concept of derivational 
complexity allows arbitrary start terms. In [19], a transformation was presented 
that extends any (non-probabilistic) TRS R by so-called generator rules G(R) 
such that the derivational complexity of R is the same as the runtime complexity 
of RUG(R), where G(R) are considered to be relative rules whose rewrite steps 
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do not “count” for the complexity. This transformation can indeed be reused to 
move from fAST on basic terms to {AST in general. 


Lemma 35. A PTRS S is fAST iff SUG(S) is FAST on basic terms. 


For every defined symbol f, the idea of the transformation is to introduce 
a new constructor symbol conss and for every function symbol f it introduces 
a new defined symbol encr. As an example for Sg from Ex. 32, then instead 
of starting with the non-basic term c(g,f(g)), we start with the basic term 
ence(consg, cons¢(consg)), its so-called basic variant. The new defined symbol enc, 
is used to first build the term c(g,f(g)) at the beginning of the rewrite sequence, 
i.e., it converts all occurrences of cons, for f € Xp back into the defined symbol 
f, and then we can proceed as if we started with the term c(g,f(g)) directly. For 
this conversion, we need another new defined symbol argenc that iterates through 
the term and replaces all new constructors conss by the original defined symbol 
f. Thus, we define the generator rules as in [19] (just with trivial probabilities in 
the right-hand sides ¢ + {1 : r}), since we do not need any probabilities during 
this initial construction of the original start term. 


Definition 36 (Generator Rules G(S)). Let S be a PTRS over the signature 
X. Its generator rules G(S) are the following set of rules 


{encs(£1,..., £n) > {1 : f(argenc(x1),...,argenc(a,))} | f € X} 
U {argenc(consş (x1, ...,£n)) > {1 : f(argenc(x1),...,argenc(zn))} | f € Xp} 
U {argenc(f(x1,...,£n)) > {1 : f(argenc(a1),...,argenc(an))}| f € Xc}, 


where X1,...,%n are pairwise different variables and where the function symbols 
argenc, conss, and ency are fresh (i.e., they do not occur in S). Moreover, we 
define Xigcs) = {encp | f € X}U {argenc} U {consy | f € Vp}. 


Example 37. For the PTRS Sg from Ex. 34, we obtain the following generator 
rules G (Ss): 


enc, > {1 : g} 
enct(x1) > {1 : f(argenc(x1))} 
ence(£1, £2) > {1 : c(argenc(x1), argenc(x2))} 
encs(z1) + {1 : s(argenc(z1))} 
enc, — {1: L} 
argenc(cons,) > {1 : g} 
argenc(cons¢(a1)) — {1 : f(argenc(x1))} 
argenc(c(x1, £2)) —> {1 : c(argenc(x1), argenc(a2))} 
argenc(s(x1)) > {1 : s(argenc(x1))} 
argenc( L) > {1: L} 


As mentioned, using the symbols cons and ency, as in [19] every term over 
X can be transformed into a basic term over X U Xg(s)- 

However, even if S is spare, the PTRS SUG(S) is not guaranteed to be spare, 
although the generator rules themselves are right-linear. The problem is that 
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the generator rules include a rule like enc¢(x,) > {1 : f(argenc(x1))} where a 
defined symbol argenc occurs below the duplicating symbol f on the right-hand 
side. Indeed, while Sg is spare, Sg UG(Sg) is not. For example, when starting 
with the basic term encs(s(consg)), we have 


{1 : encs(s(cons,)) } 3S (se) {1 : f(s(argenc(cons,)))} 
5,  {1:c(f(argenc(consg)), f(argenc(cons,))), 


where the last step is not spare. In general, S U G(S) is guaranteed to be spare 
if S is right-linear. So we could modify Thm. 33 into a theorem which states 
that S is FAST on all terms iff SUG(S) is iAST on basic terms (and thus, on all 
terms) for orthogonal and right-linear PTRSs S. However, this theorem would 
be subsumed by Thm. 17, where we already showed the equivalence of fAST and 
iAST if S is orthogonal and right-linear. Indeed, our goal in Thm. 33 was to 
find a weaker requirement than right-linearity. Hence, such a transformational 
approach to move from fAST on all start terms to [AST on basic terms does not 
seem viable for Thm. 33. 

Finally, we can also combine our results on simultaneous rewriting and 
spareness to relax both left- and right-linearity in case of basic start terms. The 
proof for the following theorem combines the proofs for Thm. 27 and Thm. 33. 


Theorem 38 (From iAST/iPAST to fAST/fPAST (4)). If S is non- 
overlapping and spare, then 


S is fAST on basic terms <= S is iAST w.r.t. =s on basic terms 
S is fPAST on basic terms == S is iPAST w.r.t. —s on basic terms 


6 Conclusion and Evaluation 


In this paper, we presented numerous new results on the relationship between 
full and restricted forms of AST, including several criteria for PTRSs such that 
innermost AST implies full AST. All of our results also hold for PAST, and all 
of our criteria are suitable for automation (for spareness, there exist sufficient 
conditions that can be checked automatically). 

We implemented our new criteria in our termination prover AProVE [21]. For 
every PTRS, one can indicate whether one wants to analyze its termination 
behavior for all start terms or only for basic start terms. Up to now, AProVE’s 
main technique for termination analysis of PTRSs was the probabilistic DP 
framework from [29, 32] which however can only prove iAST. If one wants to 
analyze fAST for a PTRS S, then AProVE now first tries to prove that the 
conditions of Thm. 33 are satisfied if one is restricted to basic start terms, or that 
the conditions of Thm. 17 hold if one wants to consider arbitrary start terms. If 
this succeeds, then we can use the full probabilistic DP framework in order to 
prove iAST, which then implies fAST. Otherwise, we try to prove all conditions 
of Thm. 38 or Thm. 27, respectively. If this succeeds, then we can use most of 
the processors from the probabilistic DP framework to prove iAST, which again 
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implies fAST. If none of these theorems can be applied, then AProVE tries to 
prove fAST using a direct application of polynomial orderings [29]. Note that 
for AST w.r.t. basic start terms, Thm. 33 generalizes Thm. 17 and Thm. 38 
generalizes Thm. 27, since right-linearity implies spareness. 

For our evaluation, we compare the old AProVE without any of the new 
theorems (which only uses direct applications of polynomial orderings to prove 
fAST), to variants of AProVE where we activated each of the theorems individually, 
and finally to the new AProVE strategy explained above. The following diagram 
shows the theoretical subsumptions of each of these strategies for basic start 
terms, where an arrow from strategy A to strategy B means that B is strictly 
better than A. 


‘Thm, 17 > ‘Thm. 33 
old AProVE new AProVE 
Thm. 27 ————> Thm. 38 


We used the benchmark set of 100 PTRSs from [32], and extended it by 
15 new PTRSs that contain all the examples presented in this paper and some 
additional examples which illustrate the power of each strategy. AProVE can 
prove iAST for 93 of these 118 PTRSs. The following table shows for how many 
of these 93 PTRSs the respective strategy allows us to conclude fAST for basic 
start terms from AProVE’s proof of iAST. 


old AProVE|Thm. 17)/Thm. 27|/Thm. 33/Thm. 38}/new AProVE 
36 48 44 58 56 61 


From the 61 examples that we can solve by using both Thm. 33 and Thm. 38 
in “new AProVE”, 5 examples (that are all right-linear) can only be solved by 
Thm. 33, 3 examples (where one is right-linear and the others only spare) can only 
be solved by Thm. 38, and 53 examples can be solved by both. If one considers arbitrary 
start terms, then the new AProVE can conclude fAST (using only Thm. 17 and 
Thm. 27) for 49 examples. 

Currently, we only use the switch from full to innermost rewriting as a 
preprocessing step before applying the DP framework. As future work, we want 
to develop a processor within the DP framework that can perform this switch in 
a modular way. Then, the criteria of our theorems do not have to be required 
for the whole PTRS anymore, but just for specific sub-problems within the 
termination proof. This, however, requires developing a DP framework for [AST 
directly, which we will investigate in future work. 

For details on our experiments, our collection of examples, and for instructions 
on how to run our implementation in AProVE via its web interface or locally, we 
refer to: 


https: //aprove-developers.github.io/InnermostToFullAST/ 
In addition, an artifact is available at [31]. 


Acknowledgements. We thank Stefan Dollase for pointing us to [19]. 
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Abstract. A k-Counter Net (k-CN) is a finite-state automaton equipped 
with k integer counters that are not allowed to become negative, but 
do not have explicit zero tests. This language-recognition model can be 
thought of as labelled vector addition systems with states, some of which 
are accepting. Certain decision problems for k-CNs become easier, or in- 
deed decidable, when the dimension k is small. Yet, little is known about 
the effect that the dimension k has on the class of languages recognised 
by k-CNs. Specifically, it would be useful if we could simplify algorithmic 
reasoning by reducing the dimension of a given CN. 

To this end, we introduce the notion of dimension-primality for k-CN, 
whereby a k-CN is prime if it recognises a language that cannot be de- 
composed into a finite intersection of languages recognised by d-CNs, for 
some d < k. We show that primality is undecidable. We also study two 
related notions: dimension-minimality (where we seek a single language- 
equivalent d-CN of lower dimension) and language regularity. Addition- 
ally, we explore the trade-offs in expressiveness between dimension and 
non-determinism for CN. 


1 Introduction 


A k-dimensional Counter Net (k-CN) is a finite-state automaton equipped with 
k integer counters that are not allowed to become negative, but do not have 
explicit zero tests (see Fig. [la] for an example). This language-recognition model 
can be thought of as an alphabet-labelled Vector Addition System with States 
(VASS), some of whose states are accepting [7]. A k-CN A over alphabet X 
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accepts a word w € X* if there is a run of A on w that ends in an accepting 
state in which the counters stay non-negative. The language of A is the set L(A) 
of words accepted by A. 

Counter nets are a natural model of concurrency and are closely related — 
and equivalent, in some senses — to labelled Petri Nets. These models have re- 
ceived significant attention over the years [6[7/13/1411 711927], with specific inter- 
est in the one-dimensional case, often referred to as one-counter nets ROTI]. 
Unfortunately, most decision problems for k-CNs are notoriously difficult and 
are often undecidable [1]2]. In particular, k-CNs subsume VASS and Petri nets, 
for which many problems are known to be Ackermann-complete, for example see 
the recent breakthrough in the complexity of reachability in VASS [125]. 

In many cases, the complexity of decision problems for VASS, sometimes 
with extensions, depends on the dimension, with low dimensions admitting more 
tractable solutions. |9/8[10[i6]. For example, reachability in dimensions one and 
two is NP-complete [I8] and PSPACE-complete [4], respectively, when counter 
updates are encoded in binary. 

A natural question, therefore, is whether we can decrease the dimension of 
a given a k-CN whilst maintaining its language, to facilitate reasoning about 
it. More generally, the trade-off between expressiveness and the dimension of 
Counter Nets is poorly understood. We tackle this question in this work by 
introducing two approaches. The first is straightforward dimension-minimality: 
given a k-CN, does there exist a d-CN B recognising the same language for some 
d<k? 

The second approach is primality: given a k-CN, does there exist some d < k 
and d-CNs B,,...,B, such that L(A) = ();_, £(B;)? That is, we ask whether 
the language of A can be decomposed as an intersection of languages recognised 
by several lower-dimension CNs. We also consider compositeness, the dual of 
primality. Intuitively, in a composite k-CN the usage of the counters can be “split” 
across several lower-dimension CNs, allowing for properties (such as universality) 
to be checked on each conjunct separately. 


Example 1. We illustrate the model and the definition of compositeness. Con- 
sider the 2-CN A depicted in Fig. and consider a word w = a™#b"#c*. We 
have that A has an accepting run on w iff m > n and m > k. Indeed, if m < n, 
the first counter drops below 0 while cycling in the second state and so the run 
is “stuck”, and similarly if m < k. It is not hard to show that there is no 1-CN 
that recognizes the language of A. However, Fig. [1b] shows two 1-CNs 6, and 
By such that £(B) = £(B1)N L(B2). Indeed, a word w = a'™##b"#c* € L(B1) iff 
m > n, and w E€ L(B2) iff m > k. 


Note that the decomposition in Example |1| is obtained by “splitting” the 
counters between the two 1-CNs. This raises the question of whether such split- 
tings are always possible. As we show in Proposition |1| for deterministic k-CNs 
(k-DCNs) this is indeed the case. In general, however, it is not hard to find 
examples where a k-CN cannot simply be split to an intersection by projecting 
on each counter. This however, does not rule out that other decompositions are 
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a, (1) b, (-1) C, (0) 
6 #,(0) ~ #, (0) 6 


: - a, (1) b, (0)  ¢,(-1) 
T $ ô © coe ra 


(a) A composite 2-CN. (b) Two 1-CNs showing compositeness of the 2-CN. 


Fig. 1: A composite 2-CN whose language is {a #b"#c* | m >nAm> k} and 
its decomposition into two 1-CNs recognising the languages {a'#b"#c* | m > 
n} and {a™#b"#c* |m > k}. 


possible. Our main result, T heorem [I] gives an example of a prime 2-CN. That 
is, a 2-CN whose language cannot be expressed as an intersection of 1-CNs. 

The notion of primality has been studied for regular languages in [2423922], 
the exact complexity of deciding primality is still open. There, an automaton is 
composite if it can be written as an intersection of finite automata with fewer 
states. In this work we introduce primality for CNs. We focus on dimension as a 
measure of size, a notion which does not exist for regular languages. Thus, unlike 
regular languages, the differences between prime and composite CNs is not only 
in succinctness, but actually in expressiveness, as we later demonstrate. 

We parameterise primality and compositeness by the dimension d and the 
number n of lower-dimension factors. Thus, a k-CN A is (d,n)-composite if it can 
be written as the intersection above. Then, A is composite if it is (d,n)-composite 
for some d < k and n € N. Under this view, dimension-minimality is a special 
case of compositeness, namely A is dimension-minimal if it is not (k — 1,1)- 
composite. Another particular problem captured by compositeness is regularity. 
Indeed, L(A) is regular if and only if A is (0, 1)-composite, since 0-CNs are just 
NFAs. Since regularity is already undecidable for 1-CNs [28], it follows that 
deciding whether a k-CN is (d,n)-composite is undecidable. Moreover, it follows 
that both primality and dimension-minimality are undecidable for 1-CNs. 

The undecidability of the above problems is not surprising, as the huge dif- 
ference in expressive power between 1-CNs and regular languages is well un- 
derstood. In contrast, even the expressive power difference between 1-CNs and 
2-CNs is poorly understood, let alone what effect the dimension has on the 
expressive power beyond regular languages. Already, 1-VASS and 2-VASS are 
known to have flat equivalents with respect to reachability [26M], but the com- 
plexity differs greatly. 

Our goal in this work is to shed light on these differences. In Section |4| we 
give a concrete example of a prime 2-CN, which turns out to be technically 
challenging. This example is the heart of our technical contribution, and we em- 
phasise that we do not currently have a proved example of a prime 3-CN, let 
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alone for general k-CN (although we conjecture a candidate for such languages). 
We consider this an interesting open problem, as it highlights the type of pump- 
ing machinery that is currently missing from the VASS/CN reasoning arsenal. 
The technical intricacy in proving our example suggests that generalising it is 
highly nontrivial. Indeed, proving this claim would require intricate pumping 
arguments, which are notoriously difficult even for low-dimensional CNs [9]. 

Using our example, we obtain in Section [5] the undecidability of primality and 
of dimension-minimality for 2-CNs. To complement this, we show in Theorem [3] 
that regularity of k-DCNs is decidable. In Section [6] we explore trade-offs in 
expressiveness of CNs with increasing dimension and with nondeterminism. In 
particular, we show that there is a strict hierarchy of expressiveness with respect 
to the dimension. We conclude with a discussion in Section [7] For brevity, some 
proofs only appear in the full version of the paper. 


2 Preliminaries 


We denote the non-negative integers {0,1,...} by N. We write vectors in bold, 
e.g., e € Z}, and e[i] is the i-th coordinate. We use [k] = {1,...,k} for k > 1. 
We use X* to denote the set of all words over an alphabet X, and |w] is the 
length of w € X*. 

A k-dimensional Counter Net (k-CN) A is a quintuple A = (X, Q, Qo, ô, F) 
where X is a finite alphabet, Q is a finite set of states, Qo C Q is the set of 
initial states, 8 C Q x X x Z* x Q is a set of transitions, and F C Q are the 
accepting states. A k-CN is deterministic, denoted k-DCN, if |Qo| = 1, and for 
every p € Q and o € X there is at most one transition of the form (p, o, v, q) € ô. 
For a transition (p, ø, v, q) € ô, we refer to v € ZÝ as its effect. 

An N-configuration (resp. Z-configuration) of a k-CN A is a pair (q,v) € 
Q x NF (resp. (q, v) € Q x Z*) representing the current state and values of 
the counters. A transition (p,o,e,q) € 6 is valid from N-configuration (q, v) if 
v+e € N*, i.e., if all k counters remain non-negative after the transition. A Z-run 
p of A on w is a sequence of Z-configurations p = (qo, Vo), (q1; V1); ---, (Gn; Un) 
such that (qi, Ci, Vi+1— Vi, G41) € 6 for every 0 < i < n—1, we may also say that 
p reads w = 0001: +: On. An N-run is a Z-run that visits only N-configurations. 
Note that all the transitions in an N-run are valid. We may omit N or Z from the 
run when it does not matter. For a run p = (qo, vo), (G1, U1); ---; (Gn, Un) of A, 
we denote (qo, vo) & (dn, Un). We define the effect of p to be eff(p) = vn — vo. 

An N-run p is accepting if qo E€ Qo, vo = 0, and qn € F. We say that 
A accepts w if there is an accepting N-run of A on w. The language of A is 
L(A) = {w € &* | A accepts w}. We say that A is unambiguous if it has at most 
one accepting run on any given word. Otherwise we say that it is ambiguous. 

An infix 7 = (qk, Vvk), (Gk+1; Vk+1);+-+5 (dk+n;Vk+n) Of a run p is a cycle if 
dk = qk+n and is a simple cycle if it does not contain a cycle as a proper infix. 
When discussing an infix a of a 1-CN — we write that m is > 0, > 0, or < 0 if 
eff() > 0, eff(a) > 0, or eff(z) < 0, respectively. 
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3 Primality and Compositeness 


We begin by presenting our main definitions, followed by some introductory 
properties. 


Definition 1 (Compositeness, Primality, and Dimension-Minimality). 
Consider ak-CN A, and let d,n € N. We say that A is (d,n)-composite if there 
exist d-CNs By,...,By such that L(A) = Ni £(Bi). If A is (d,n)-composite 
for somed<k and n € N, we say A is composite. Otherwise, A is prime. If A 
is not (k —1,1)-composite, we say that A is dimension-minimal. We also extend 
the definition of primality to languages, and say that a language L is prime if 
there is an integer d > 0 such that L = L(A) for some d-CN A, but there are 
no (d—1)-CNs B,,...By, such that L=();_, £(Bi). 


Remark 1. Note that the special case where A is (0, )-composite coincides with 
the regularity of £(A), and hence also with being (0, 1)-composite. 


Observe that in Fig. [I] we in fact show a composite 2-DCN. We now show that 
every k-DCN is (1, k)-composite, by projecting to each of the counters separately. 
In particular, a k-DCN is prime only when k = 1 and it recognises a non-regular 
language, or when k = 0. Formally, consider a k-DCN D = (X, Q, Qo, ô, F} and 
let 1 < i < k. We define the i-projection to be the 1-DCN D|: = (X, Q, Qo, ôli, FE) 
where ôli = {(p, o, vli], q) | (p, o, v, q) € ô}. 


Proposition 1. Every k-DCN D is (1,k)-composite, and L(D) = NE L(D|;). 


Proof. Let w € L(D) and let p be the accepting run of D on w, then the projec- 
tion of p on counter i induces an accepting run of D|; on w, thus w € fi L(D|;). 
Note that this direction does not use the determinism of D. 

Conversely, let w € NÈ L(D|;), then each D|; has an accepting run p; on 
w. Since the structure of all the D|; is identical to that of D, all the runs p; have 
identical state sequences, and therefore are also a Z-run of D on w. Moreover, due 
to this being a single N-run in each D|;, it follows that all counter values remain 
non-negative in the corresponding run of D on w. Hence, this is an accepting 
N-run of D on w, so w € L(D). 


Remark 2 (Unambiguous Counter Nets are Composite). The proof of Proposi- 
tion [1] applies also to structurally unambiguous CNs, i.e. CNs whose underlying 
automaton, disregarding the counters, is unambiguous. Thus, every unambigu- 
ous CN is (1, k)-composite. 


Consider k-CNs 61,..., Bn. By taking their product, we can construct a k-n- 
CN A such that L(A) = N; £(B;). In particular, if each B; is a 1-DCN, then 
A is an n-DCN. Combining this with Proposition [I] we can deduce the following 
(proof can be found in the full version). 


Proposition 2. A k-DCN is dimension-minimal if and only if it is not (1, k—1)- 
composite. 
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4 A Prime Two-Counter Net 


In this section we present our main technical contribution, namely an example 
of a prime 2-CN. The technical difficulty arises from the need to prove that 
this example cannot be decomposed as an intersection of nondeterministic 1- 
CNs. Since intersection has a “universal flavour”, and nondeterminism has an 
“existential flavour”, we have a sort of “quantifier alternation” which is often a 
source of difficulty. 

The importance of this example is threefold. First, it enables us to show that 
primality is undecidable in Section [5] Second, it offers intuition on what makes 
a language prime. Third, we suspect that the techniques developed here will 
be useful in other settings when reasoning about nondeterministic automata, 
perhaps with counters. 

We start by presenting the prime 2-CN, followed by an overview of the proof, 
before delving into the details. 


Example 2. Consider the 2-CN P over alphabet X = {a, b, c, #} depicted in Fig. 2] 
Intuitively, P starts by reading segments of the form a’, where in each seg- 
ment it nondeterministically chooses whether to increase the first or second 
counter by m. Then, it reads b’*c”™+ and accepts if the value of the first and 
second counter is at least mz, and me, respectively. Thus, P accepts a word if its 
a” # segments can be partitioned into two sets I and I so that the combined 
lengths of the segments in I (resp. T) is at least the length of the b segment 
(resp. c segment). For example, a!°#4a?°#al°>#b>c3° € L(P), since segments 
1 and 2 have length 30, matching c?° and segment 3 matches b'°. However, 
a Ha #al>#b21c7! ¢ L(P), since in any partition of {10, 20,15}, one set will 
have sum lower than 21. More precisely, we have the following: 


L(P) ={a™ #a™ #--- #a™ Hy cM 


JI C ft] st. X mi > mA Mi > Mme} 


icI il 


Fig. 2: The prime 2-CN P for Example [2|and Theorem [1] 


Theorem 1. P is prime. 


The high-level intuition behind T heorem [I] is that any 1-CN can either guess a 
subset of segments that covers mp or Mme, but not both, and in order to make sure 
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the choices between two 1-CNs form a partition, we need to fix the partition in 
advance. This is only possible if the number of segments is a priori fixed, which 
is not true (c.f, Remark [3). This intuition, however, is far from a proof. 


4.1 Overview of the Proof of Theorem 


Assume by way of contradiction that P is not a prime 2-CN. Thus, there exist 
LCNs V),...V_ such that L(P) = (\,<;<, £(Vj). Throughout the proof, we 
focus on words of the form a’! #a™#---#a™*+14#b"c™« for positive integers 
{met Mb, Me. We index the a” segments of these words, so a™ is the i-th 
segment. Note that we focus on words with k + 1 many a segments, one more 
than the number of V; factors in the intersection. It is useful to think about each 
segment as “paying” for either b or c. Then, a word is accepted if there is a way 
to choose for each segment whether it pays for b or c, such that there is sufficient 
budget for both. 

Let i € [|k + 1] and j € [k]. We say that the i-th segment is bad in V; 
if, intuitively, we can pump the length m; of segment i whilst pumping both 
Mp and Mme to unbounded lengths, such that the resulting words are accepted 
by V; (see Definition [2] for the formal definition). For example, consider the 
word a? #a'0#a0#bct € L(P). If the second segment is bad for V; then 
there exist x,y,z > 0 such that for every t,t,,t. € N it holds that the word 
a Bg lOtte Ag l0 p20 tteycl0+te2 is in £(V,;). Observe that such behaviour is un- 
desirable, since for large enough t, ty, te, the resulting word is not in L(P). Note, 
however, that the existence of such a bad segment is not a contradiction by itself, 
since the resulting pumped words might not be accepted by some other 1-CN 
Vj. 

: In order to reach a contradiction, we need to show the existence of a segment i 
that is bad for every V;. Moreover, we must also show that arbitrarily increasing 
Mi, Mp, Mc can be simultaneously achieved in all the V; together (i.e., the above 
x,y,z > 0 are the same for all V;). This would create a contradiction since all 
the V; accept a word that is not in £(P). Our goal is therefore to establish a 
robust and precise definition of a “bad” segment, then find a word w comprising 
k +1 segments where one of the segments is bad for every V;, and pumping the 
words in each segment can be done synchronously. 


4.2 Pumping Arguments in One-Counter Nets 


In this section we establish some pumping results for 1-CN which will be used 
in the proof of Theorem |1| Throughout this section, we consider a 1-CN V = 
(X, Q, Qo, ô, F). 

Our first lemma states the intuitive fact that without > 0 cycles, the counter 
value of a run is bounded (proof can be found in the full version). 


Lemma 1. Let (q,n) be a configuration of V, let W be the maximal positive 
update in V, o € X, and N EN. If an N-run p of V on oN from configuration 
(q, n) does not traverse any > 0 cycle, then the maximal possible counter value 
anywhere along p isn+W|Q|. 


236 S. Almagor et al. 


The next lemma shows that long-enough runs must contain > 0 cycles. 


Lemma 2. Leto € X and (q,n) be an N-configuration of V. Then there exists 
N EN such that for all N' > N, every N-run of V ono from (q,n) traverses 
a > 0 cycle. 


Proof. Let W be the maximal positive transition update in V, we show that 
N = |Q|(n+|Q|-W) satisfies the requirements. Assume by way of contradiction 
that V can read oN via an N-run p = (qo, no = n) & (qn, nn) that only traverses 
< 0 cycles. 

Since p visits N + 1 states, then by the Pigeonhole Principle, there exists a 
state p € Q that is visited m > (N + 1)/|Q| > N/|Q| many times in p. 

Consider all the indices 0 < i; < ig < ... < im < N such that p = qi =... = 
qim- Each run segment (qi, Ni) > (qiz, Nis); -- -s (Gim—13im—1) > (qim; Mim) IS 
a cycle in p, and therefore must have negative effect. Thus ni > ni, >... > 
n;,, > 0, so in particular ni, > ni„ +m-— 1 > 0 (as each cycle has effect at most 
—1). Moreover, ni < n + |Q|-W since the prefix (qo,n) > (qin, Ni) cannot 
contain a non-negative cycle. However, since m > N/|Q| = n+ |Q|- W and 
Ni, > nin tM- 1> n++|Q|: W, we get n+|Q|-W < n+ |Q|-W which is a 
contradiction. 


Next, we show that runs with > 0 and > 0 cycles have “pumpable” infixes. 


Lemma 3. Leto € X and consider a > 0 (resp. > 0) cycle t = (q0, co) 5 
(q1,€1) S ...(dn = qo;,cn) on o” that induces an N-run. Then, there is a se- 
quence of (not necessarily contiguous) indices 0 < i < ... < ik < n such that 


diy 4, qiz Za qi, is a simple > 0 (resp. > 0) cycle with some effect e > 0 (resp. 
e > 0). In addition, this simple cycle is “pumpable” from the first occurrence of 
qi, in T; namely, for allm €N there is a run Tm obtained from n by traversing 
the cycle m times so that eft) = eff(7) + em. 


Proof. We prove the > 0 case, the > 0 case can be proved mutatis mutandis. 

We define tm = (q0, c0) S «+ (dn, cn) S --. (da, Cn EM) 5... (dn, en + 
em). The proof is now by induction on the length of m. 

The base of the induction is a cyclic N-run of length 2. In this case m = 
(qo,€o) > (qı = qo, €1) is itself a > 0 simple cycle that is infinitely pumpable 
from (qo, co). 

We now assume correctness for length n, and discuss 7 = (qo, co) 5 (q1, 61) 5 
..- (qn = qo, cn) of length n + 1. Let 0 < jı < jo < n be indices such that 
dj, = qj, for a maximal jı. Note that the cycle T = (qj,,¢j,) 9 --- (dja, Cja) 
must be simple. If jı = 0 and jg = n, then 7 itself is a simple > 0 cycle, and the 
pumping argument is straightforward. Otherwise 7 is nested. We now split into 
two cases, based on whether eff(7) > 0. 


1. ris > 0: then the induction hypothesis applies on 7. We take the guaranteed 
constants jı <7, <... < ik < j2, which apply to m as well. 
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2. T is < 0: then we remove 7 from ~ to obtain 7’ = (qo, co) 2 ... (dis Ch) 5 
(dj2+1, Cha +1) 5 ... (dnc), such that c; > c; for all jz +1 < i< n. The 
induction hypothesis applies on 7’, so let i1,...,2% be the guaranteed con- 
stants. Note that i; < jı, since the cycle removed when obtaining 7’ from 
T is the last occurrence of a repetition of states in m. We therefore know 
that qi, = qiz ee -qi, is a simple > 0 cycle in a’ — which applies to 7 as 
well. In addition, it is infinitely pumpable from N-configuration (q;,,c;,) in 
nm’ for i, < jı. Indeed, since m and 7’ coincide up to and including (q;,,c;,) 
between 7 and 7’ - this cycle is infinitely pumpable in 7 as well. 


The simple cycle in Lemma f3 has length k < |Q|. By pumping it lel times 
we obtain a pumpable cycle of length |Q|!, allowing us to conclude with the 
following. 


Corollary 1. Let p be an N-run of V on o” that traverses a > 0 cycle. For every 
m EN, we can construct an N-run p' of V on o”t™1Ql! such that eff p) > eff(p) 
by pumping a > 0 simple cycle in p. 


4.3 Good and Bad Segments 


We lift the colour schem¢*| of > 0 and > 0 to words and runs as follows. For a 
word w = uv and a run p, we write e.g., uv to denote that p traverses a > 0 
cycle when reading u, then a > 0 cycle when reading v. Note that this does not 
preclude other cycles, e.g., there could also be negative cycles in the u part, etc. 
That is, the colouring is not unique, but represents elements of the run. 

Recall our assumption that L(P) = (y<j;<, £(Vj), and for all j € [k] denote 
Vj = (X, Qj, Lj, 8j, Fj). Let Qmax = max{|Q; and denote a = Qmax!. Fur- 
ther recall that we focus on words of the form a™! #a™? # - - - par +1 4b™t cme 
for integers {mi Mb, Me € N, and that we refer to the infix a’™ as the 
i-th segment, for 1 < i < k + 1. We proceed to formally define good and bad 
segments. 


Definition 2 (Good and PON Segments). The i-th segment is bad in V; if 
there exist constants {m io Mb, Me E N such that the following hold. 


(a) {m ‚Mb, Mc are multiples of a, and 
(b) there is an accepting N-run p of Vj on w = a™ Ha"? #--- Halt #b™? cM 
that adheres to one o the three forms: 
(i) qm™1 Hal. qmi- 1 ami #a™i+ı# one #amr+i #b™ cme, 
(ii) qm Hamed. qmi- iAgMifegMitif... . #a™r+ HED CMe | or 
(iii) qm Hap.. qmi- Hampang.. . a"r beme, 


The i-th segment is good in V; if it is not bad in Vj. 


4 The colours were chosen as accessible for the colourblind. For a greyscale-friendly 
version, see the full paper. 
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Lemma [4] formalises the intuition that a bad segment can be pumped simul- 
taneously with both the b and c segments, giving rise to a word accepted by V; 
but rejected by P. 

Intuitively, Forms (ii) and (iii) indicate that all segments are bad. Indeed, 
the i-th segment has a > 0 cycle, so it can be pumped safely, and in Form (ii) 
both b and c can be pumped using > 0 cycles. Whereas in Form (iii) we can 
pump b using a > 0 cycle, and can use it to compensate for pumping c, even if 
the latter requires iterating a negative cycle. 

Form (i) is the interesting case, where we use a > 0 cycle in the i-th segment 
to compensate for pumping both b and c. The requirement that all segments up 
to the i-th are > 0 is at the core of our proof and is explained in Section [4.4] 


Lemma 4. Suppose the l-th segment is bad in Vj, then there exist x,y,z € N, 
that are multiples of a, such that for every n € N the following word w is accepted 
by Yj. 


Wn = a™ 4a? # EEN pa-pa ten ha oe part pmo tun meten 


Proof. We can choose z = a, then take y to be large enough so that Form (iii) 
runs can compensate for negative cycles in c* using > 0 cycles in b”, whilst not 
decreasing the counters in Form (ii) runs. We can indeed find such a y € N that 
is a multiple of a, since a is divisible by all lengths of simple cycles. Finally, we 
choose x so that Form (i) runs can compensate for c” and b” using > 0 cycles 
on a” in the l-th segment, again whilst not decreasing the counters in Forms (ii) 
and (iii). 


Recall that our goal is to show that there is a segment | € [k +1] that is bad 
in every Vj, for j € [k]. In Lemma [5] We show that each V; has at most one 
good segment. Therefore, there are at most k good segments in total, leaving at 
least one segment that is bad in every Vj, as desired. 


Lemma 5. Let j € [k] andO<r<s<k+1. Then the r-th or s-th segment is 
bad in Vj. 


Proof. Since j is fixed, denote V; = (X, Q, Qo, ô, F). We inductively define con- 
stants {nyt ‚Np, Ne E N as follows. Suppose that n, is a large-enough multiple 
of a so that Lemma [2] guarantees a > 0 cycle in any accepting run of Vj on a”! 
from some (qo,0) with go E€ Qo. Now, assume that we have defined nj,...ni-1, 
and consider the word u = a™#a™#---#a™-!#. Define n = |u|- W where 
W is the maximal update of any transition of V;. Since u consists of 77 let- 
ters, n + 1 is greater than any counter value that can be observed in any run 
of Vj on u. We define n to be a multiple of a large enough so that Lemma 
guarantees a > 0 cycle when reading a” from any configuration of the form 
{lq n) |q E Q, n < n +1}. We set np = ne = a, the choice of na,ne is 
somewhat arbitrary. Finally, we set w = a" #--- #a™+1#b"c", 

Now, for every x € N, we obtain from w a word wy by pumping za many 
a’s in the r-th and s-th segments and pumping za many b’s and c’s in their 
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segments. That is, let ni = n; + za for i € {r,s} and n; = n; for i ¢ {r,s}, 
and let n, = nb + xa and ni, = ne + xa, then we = aig... parr pbroc™e, 
Observe that wy € L(P). Indeed, since n, > np = a and ns > ne = a we have 
that n, + 2a > n, + za and n, + xa > ne + xa, so the r-th and s-th segments 
can already pay for the b’s and c’s, respectively. In particular, ws € L(V;) via 
some accepting N-run pz. 
We choose a particular value of x, as follows. Consider x and suppose some 
accepting N-run px as above does not traverse a > 0 cycle neither in r-th nor s-th 
segment. By Lemma [1] the maximal possible counter value of p, after reading 


ade... Ha TIO... pg STIA. o Ug Met yb 


is Mp = (k +1 +} ektir} n2) W + 2/Q| -W. Crucially, this value does 
not depend on x. Further, if there is no > 0 cycle in the segment of b’s as 
well, again the maximal counter value of p up to the c segment is bounded by 
Me = (k +2 + $ret qtrs} nz): W + 3/Q|-W, that is independent of x and 
My. By Lemma |2| we can now choose x large enough to satisfy that for every 
accepting N-run pz on Wz: 


1. If py does not traverse any > 0 cycle in the r-th or s-th segments, then pz 
has a > 0 cycle reading b(+*™ from any configuration in {(q,M’) | q € 
Q, M' < Mb}. 

2. If pz does not traverse any > 0 cycle in the r-th or s-th segment, nor in the 
b segment, then py has a > 0 cycle reading c«+*®) from any configuration 
in {(q, M") E Q, M’ < Me}. 


Having fixed x, we claim that for the constants of w,, one of the r-th or s-th 
segment is bad in V;. By construction, Lemma |2| guarantees that pẹ has > 0 
cycles in segments 1,...r — 1. If py has a > 0 cycle in segment r, then pz is of 
Form (i): 


q™ #a™? 4 <p parr- arr tT TO yp odes Hegre tog a parkt ybre tee netra 


and so the r-th segment must be bad in Vj. 

Otherwise, if pẹ does not have a > 0 cycle in the r-th segment, then the con- 
struction in Lemmaf2|guarantees > 0 cycles in segments indexed r,r+1,...,5—1. 
Indeed, for the r-th segment, we are guaranteed a > 0 cycle reading a””, all the 
more for a”"***, As for segments indexed r + 1,...s — 1, if pz does not have a 
> 0 cycle in the r-th segment, then the maximal effect of segment r is |Q|-W. 
However, n,+1 was constructed to guarantee a > 0 cycle even in case the effect 
of segment r is Wn, >Wa>W|Q|. 

If there is a > 0 cycle in segment s, then p, is again of Form (i): 


q™ #a™ 4 vee Heaq™s-ldeghst2O pgte+ yb hte #ark+t fe pre tea Metra 


and so the s-th segment must be bad in Vj. 
Otherwise, using the same arguments as for the r-th segment, we have that 
segments indexed s + 1,...,4 +1 each contain a > 0 cycle. In this case we are 
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left with the b and c segments. The choice of x guarantees a > 0 cycle in the b 
segment. If py traverses a > 0 cycle in the b segment, then w, is of Form (iii). 


q”™ Ha”? # asad #a”r+ı ybre tra gnete 


Finally, if there are no > 0 cycles in the b segment, then the choice of x again 
guarantees a > 0 cycle in the c segment, so wz is of Form (ii). 


q”™ Ha”? H oe, #a”r+ı ybre tra net ra 


In the two latter cases, both the r-th and the s-th segments are bad in Vj. 


4.4 Proof of Theorem 


Given Lemma |5| we now know that each V; has at most one good segment. 
Therefore, all 1-CNs V,,...,V, together have at most k good segments. Recall 
that the words we focus on have k+1 segments, and therefore there is at least one 
segment, say the /-th segment, that is bad in every V;. Note, however, that this 
segment may correspond to different constants in each Vj. That is, there exists 
constants {m,m}, mi |i € [k + 1],7 € [k]} witnessing that the /-th segment is 
bad for each V;. We group the V; according to the form of their accepting runs 
pj (see Definition [2): 


(i) gu Haat ded #ari Haring a Ha har pms cme 
: i j 


(ii) ari Haire 4 bas #ari Hams de... ahr Hb™ cM, or 
(iii) a #a™#.--#a™ pami Hos Hamers HMM. 


We now find constants resulting in a single word for which the /-th segment is 
bad in every Vj. First, for i € [k+1]\{I}, we define M; = max{m? | j € [k]}, note 
that these values are still multiples of a. Similarly, we define M. = max{ m3 | 
j € [k]}. It remains to fix new constants L and B, which we do in phases in the 
following. The resulting word is then 

w= ag.. aM tah Harg. aM py? Me, 

Most steps in the analysis below are based on Lemmaf3]and Corollary [I] We 
first, partially, handle Form (iii) runs. For such Vj, there is an accepting N-run 
pj ON 


Íg.. paipa Hain pe... Haha pm em 
By pumping > 0 cycles as per Corollary [I] in all segments except l we obtain an 
accepting N-run p} on 


a4 aes Hg Mi-1 gm Hat H or part pome., 
We now pump arbitrary cycles in the c segment to construct a Z-run p} on 
aM 4 sie #aMi-1 #a™! Hat H ee paMr+ Hb Me, 
Next, we compensate for possible negative cycles in the c segment by pumping 
a > 0 cycle in the b segment. Thus, we construct an N-run p/’ on 


a4 ae Hai- pam pah H as Hart bP Me | 
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where B is chosen to be large enough such that pj’ is an N-run for all V}, j € [k]. 
Note that it remains to fix L. 
We now turn to Form (i) with a similar process we start with an accepting 
N-run p; on 
aM fe... paipa Haar... Hah BHM eM, 
Pump > 0 cycles in segments indexed 1,...,/ — 1 to obtain an accepting N-run 
p; on 


aM. Hg Min Hg Han He... Hah BHM CM, 
Now, obtain a Z-run p} by pumping arbitrary cycles in the remaining segments, 
including the b segment. 
aM 4# Uae #aMi-1 #a™ #HaMini H oo H#aMert #bP Me 
Again, compensate for negative cycles by taking L large enough so that pumping 
I 


> 0 cycles in the l-th segment yields an accepting N-run pj’ on 


aM gM gh eg Mine... aM P Me, 

We now return to Form (iii) and fix the l-th segment by pumping > 0 cycles 
to construct an accepting N-run on 
a4 Pon Ha- Hal Ha M H oe Hart bP Me, 

We are left with Form (ii), which are the most straightforward to handle. We 
simply pump > 0 cycles in all segments to construct an accepting N-run P on 
avy a pa-t Hal Hat H A HaMet bP Me, 

Note that the requirement for all segments before the l-th to be > 0 is crucial, 
otherwise we won’t be able to pump all the cycles in all forms simultaneously. 

We now have that w is accepted by every Vj, and the l-th segment is bad 
for all V;. By applying Lemma [4] for each of the V; and taking global constants 
to be the products of the respective constants x,y,z > 0 for each Vj, we now 
obtain X,Y, Z € N, multiples of a, such that for every n € N the word 


Wn = a4. NE pa-pa tX pa Mhh. . . parti wpe tyr Metan E L(V;) 


is accepted by every V;, for every j € [k]. 

Finally, we choose n large enough to satisfy Dickt M; < min{B + 
Yn, Me + Zn}, so that wn ¢ L(P). This is possible because, w.l.o.g, the l-th 
segment can only pay for b, and the remaining segments [k + 1] \ {1} cannot pay 
for c. This contradicts the assumption that L(P) = fMjej] £(V;), concluding the 
proof of Theorem 


Remark 3 (Unbounded Compositeness). The proof of Theorem [1] shows that if 
words with k+1 segments are allowed, then the language is not (1, &)-composite, 
we use this to establish primality. By intersecting C(P) with words that allow 
at most k + 1 segments, we obtain a language that is not (1,&)-composite, but 
it is not hard to show that it is (1,2*+')-composite. This demonstrates that a 
2-CN can be composite, but may require unboundedly many factors. 


The intuition behind T heorem[Iis that separate counters are needed to keep 
track of the elements that “cover” b+ and c+. Extending this idea to k-CN, 
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we require that the a segments are partitioned to k different sets that cover k 
“targets”. 


Conjecture 1. The following language is the language of a prime k-CN: 
Lg ={a™ Ha B+ Hal™ Hoy bs? + bY | 


Ih,- Ip C [t] Vie [k], So mj 2ni AVIA SG, LOT = 9} 
JEL 


While constructing a k-CN for Ly is a simple extension of Example |2| proving 
that it is indeed prime does not seem to succumb to our techniques, and we leave 
it as an important open problem (see Section [7}. 


5 Primality of Counter Nets is Undecidable 


In this section we consider the primality and dimension-minimality decision 
problems: given a k-CN A, decide whether A is prime and whether A is dimension- 
minimal, respectively. 

We use our prime 2-CN from Example |2| and the results of Section |4| to 
show that both problems are undecidable. Our proof is by reduction from the 
containment problen}>| for 1-CN: given two 1-CN A,B over alphabet X, decide 
whether L(A) C £(B). This problem was shown to be undecidable in [20]. 

We begin by describing the reduction that applies to both problems. Consider 
an instance of 1-CN containment with two 1-CNs A and B over the alphabet X. 
We construct a 2-CN C as follows. Let A be the alphabet of the 2-CN from Ex- 
ample |2| and Theorem |1| and let $ ¢ X U A be a fresh symbol. Intuitively, C 
accepts words of the form u$v when either u € L(A) and v is accepted by P 
starting from the maximal counter A ended with on u, or when u € £(B) and 
ve A*. 

Formally, we convert A and B to 2-CNs A’ and B’ by adding a counter and 
never modifying its value, so a transition (p, c, v, q) in A becomes (p, ø, (v, 0), q)) 
in A’, for example. We construct a 2-CN C as follows (see Fig. B). We take A’, B’, 
and P, and for every accepting state q of A’ we introduce a transition (q, $, 0, po) 
where po is an initial state of P. We then add a new accepting state qr and add 
the transitions (qr,A,0,qr) for every letter A € A, in other words qr is an 
accepting sink for A. We also add transitions (s,$,0, qr) from every accepting 
state s of B’. The initial states are those of A’ and Bb’, and the accepting states 
are those of P and qr. 


Theorem 2. Primality and dimension-minimality are undecidable, already for 


2-CN. 


Proof. We prove the theorem by establishing that C is not prime if and only if 
L(A) C £(B), and C is not dimension-minimal if and only if L(A) C L(B). 


5 Actually, the complement thereof. 
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j a> $,0 7 prn $,0 
~| A woo P =H B wo A,O 


Fig. 3: The reduction from 1-CN non-containment to 2-CN primality and 
dimension-minimality. The dashed accepting states are those of A’ and B’, and 
are not accepting in the resulting construction. 


Assume that L(A) C £(B), then the component of C containing A’ and P 
(Fig. |3| left) becomes redundant. Since the component containing 6’ and qr 
only makes use of one counter, C is composite. Formally, we claim that £(C) = 
{u$v | u € L(B) Av © A*}. Indeed, if w € L(C) then w = uv so either 
u € L(A’) = L(A) or u € L(B), but since L(A) C L(B), this is equivalent to 
u € £(B), and in this case there is simply no condition on v € A*. Since the 
second counter is not used in component containing B’ and qr (Fig. [3|right), we 
can construct a 1-CN equivalent to C by projecting on the first counter and just 
deleting the component containing A’ and P completely. It follows that in this 
case C is not dimension-minimal, and therefore is not prime either. 

For the converse, assume that L(A) Z £(B), and let u € L(A) \L(B). Denote 
m = max{eff(p) | p is an accepting run of A on u}. Thus, for a word v € A* we 
have that u$v € £(C) if and only if v is accepted in P with initial counter m. 
Assume by way of contradiction that C is not prime, then we can write L(C) 
as an intersection of languages of 1-CNs. Loosely speaking, this will create a 
contradiction as we will be able to argue that P is not prime. More precisely, 
take v = a™ #a™#.-.-#a™'+1#b™c™e for integers {rng Mb, Me E N and 
consider words of the form u$v. Our analysis from Section [4] specifically the 
arguments used in the proof Lemma [5}-on u$v can show, mutatis mutandis, 
that the language of P is not composite regardless of any fixed initial counter 
value (an analogue of Theorem |1}. 

We thus have that C is prime, and in particular C is dimension-minimal, 
concluding the correctness of the reduction. 


To contrast the undecidability of primality in nondeterministic CNs, we turn 
our attention to a decidable fragment of primality, for which we focus on deter- 
ministic CNs. Recall that by Proposition |1| a k-DCN is dimension minimal if 
and only if it is not (1, k — 1)-composite. Thus, dimension-minimality “captures” 
primality. We show that regularity, which is equivalent to being (0, 1)-composite, 
is decidable for k-DCNs for every dimension k. 

For dimension one, regularity is already known to be decidable in EXPSPACE, 
even for history-deterministic 1-CNs [5] Theorem 19]. History-determinism is a 
restricted form of nondeterminism; history-deterministic CNs are less expressive 
than nondeterministic CNs but more expressive than DCNs. However, already 
for k > 2, regularity is undecidable for history-deterministic k-CNs |5] Theorem 
20]. 


Theorem 3. Regularity of k-DCN is decidable and is in EXPSPACE. 
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We provide further details, including a proof of T heorem [B] in the full version. 
In short, we translate our k-DCN into a regularity preserving Vector Addition 
System (VAS) and use results on VAS regularity from [8] Theorem 4.5]. We 
remark that an alternative approach may be taken by adapting the results of [12] 
on regularity of VASS, although this seems more technically challenging because 
CNs have accepting states. 


6 Expressiveness Trade-Offs between Dimensions and 
Nondeterminism 


Theorem [I] implies that 2-CNs are more expressive than 1-CNs, and that non- 
deterministic models are more expressive than deterministic ones. In particular, 
a k-DCN can be decomposed by projection (Proposition D, and have decidable 
regularity (Theorem B). It is therefore interesting to study the interplay be- 
tween increasing the dimension and introducing nondeterminism. In this section 
we present two results: first, we show that dimension and nondeterminism, are 
incomparable notions, in a sense. Second, we show that increasing the dimen- 
sion strictly increases expressiveness, for both CNs and DCNs. We remark that 
the latter may seem like an intuitive and simple claim. However, to the best of 
our knowledge it has never been proved, and moreover, it requires a nontrivial 
approach to pumping with several counters. 

We start by showing that nondeterminism can sometimes compensate for low 
dimension. Let k € N and X = {aj,...,ax,b1,..., bk, C}; consider the language 
Ly = {a1 a3? e ag" bic™ | i € [k] An; > m}. It is easy to construct a k-DCN as 
well as a 1-CN for Ly, as depicted by Figs. [4] and [5] for k = 3. To construct a 
1-CN we guess which b; will be later read, and verify the guess using the single 
counter in the a;* part. 


a1,(1,0,0) a2,(0,1,0) AnAUO 


E n 62,0,0> c,(0,—1,0) 


a2,(0,1,0) a3,(0,0,1) 03,0 Q c,(0,0,—1) 


Fig. 4: A 3-DCN for L3 = {ay'a5?a3*bic™ | i € [3] An; > m}. Intuitively, 
the 3-DCN counts the number of occurrences of each letter, and decreases the 
appropriate counter once the letter b; selects it. 


We now show that £;’s dimension cannot be minimised whilst maintaining 
determinism. 


Theorem 4. Lp is not recognisable by a (k — 1)-DCN. 


Proof. Assume by way of contradiction that there exists a (k — 1)-DCN D = 
(X, Q, Qo, ô, F) such that L(D) = Lg. Let n > |Q| and for every i € [k] consider 
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a,l a2,0 a3,0 


ai,0 a2,1 a3,0 


§— 55-2 
a1,0 a2,0 a3,1 oy 


6 


Fig. 5: A 1-CN for Ls = {a1 a3 az’ bic™ |i € [3] An; > m}. Intuitively, the CN 
guesses which b; will be seen, and counts the respective occurrences of the letter 
ai. Then, once b; is seen, the counter is decreased on c. 


a2,0 az3,1 


the word w; = ajay ---azbjc” € Lp. Since D is deterministic and n > |Q], all of 
the accepting runs on the w; coincide up to the b; part and have cycles in each 
a? segment as well as in the c” segment (the latter may differ according to i). 
Let M be the product of the lengths of all these cycles. 

First, observe that the cycles in all of the ap segments cannot decrease any 
counter. Indeed, otherwise by pumping such a cycle for large enough t > 0 times, 
there would not exist an N-run on words with the prefix a} ---a?_,a?*™™. This 
creates a contradiction since, with an appropriate suffix, such words can be 
accepted. 

Thus, all a; cycles have non-negative effects for all counters. Indeed, for each 
counter 7 — associate with i the minimal segment index whose cycle strictly in- 
creases i. Since there are k—1 counters and k segments this map is not surjective, 
in other words, there is a segment (without loss of generality, the a, segment) 
such that every counter that is increased in the a, cycle is also increased in a 
previous segment. Therefore, there exist s,¢ > 0 such that the word 


n+sM n+sM | astsM a? n+tM 
Oy Mp ORT AR dEC ¢ Lr 


is accepted by D, which is a contradiction. 


We now turn to show that conversely, dimension can sometimes compensate 
for nondeterminism. Moreover, we show that there is a strict hierarchy of expres- 
siveness with respect to dimension. Specifically, for k € N consider the language 
Aig {a1 a3? tay by by Oe” | VES eke mi > ni}. 


Theorem 5. Hy, is recognisable by a k-DCN, but not by a (k — 1)-CN. 


Proof (sketch). Constructing a k-DCN for Hy, is straightforward, by using the 
i-th counter to check that m; > ni, for each i € [k]. 


We turn to argue that Hp is not recognisable by a (k — 1)-CN (See the 
full version for a complete proof). Assume by way of contradiction that A = 
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(2',Q, Qo, 6, F) is a (k — 1)-CN with L(A) = Hy. We first observe that there 


exists mı € N large enough so that every run of A on aj"! must traverse a non- 
negative cycle, i.e., a cycle whose overall effect is uy € Z*~! such that ufi] > 0 
for all i € [k — 1]. Indeed, this is immediate by a “uniformly bounded” version of 
Dickson’s lemma [15]; any long-enough “controlled” sequence of vectors in N*~1 
must contain an r-increasing chain, for any r € N. 

By repeating this argument we can ultimately find m1,...,m, such that any 
run of A on a} a3? ---a;"* traverses a non-negative cycle in each a; segment for 
j € [k]. Consider now the word w = aT a3”? -ap bT" b3? -bpr © Hp, then 
there exists an accepting run p of A on w such that for each j € [k], the run p 
traverses a non-negative cycle in segment aj, with effect uj € N*~?. 

Consider the vectors u1,..., up. We claim that there exists ¢ € [k] such that 
the support of ug is covered by u1,...,ug—ı in the following sense: for every 
counter i € [k—1], if ugi] > 0, then there exists j < £ such that u,;[i] > 0. Indeed, 
this holds since otherwise every uj must contribute a fresh positive coordinate 
to the union of supports of the previous vectors, but there are k vectors and only 
k — 1 coordinates. 

Next, observe that since each uj is a non-negative cycle taken in p, then 
it can be pumped without decreasing any following counters, and hence induce 
an accepting run on a pumped word. Intuitively, we now proceed by pumping 
all the uj cycles for j < £ for some large-enough number of times M, which 
enables us to remove one iteration of the cycle with effect ue while maintaining 
an accepting run on a word of the form: 

w= Oca a a ee Aras a eg IN ara E bp”. 
Since me > me — de, the be segment is longer than the ap segment. Thus w’ ¢ Hp, 
this yields a contradiction. 


Apart from showing that nondeterminism cannot always compensate for in- 
creased dimension, Theorem [5] also shows that for every dimension k, there are 
languages recognisable by a (k + 1)-DCN (and in particular by a (k + 1)-CN), 
but not by any k-CN (and in particular not by any k-DCN). Thus, we obtain 
the following hierarchy. 


Corollary 2. For every k € N, k-CNs (resp. k-DCNs) are strictly less expres- 
sive than (k +1)-CNs (resp. (k + 1)-DCNs). 


7 Discussion 


Broadly, this work explores the interplay between the dimension of a CN and its 
expressive power. This is done by studying the dimension-minimality problem, 
where we ask whether the dimension of a given CN can be decreased while pre- 
serving its language, and by the more involved primality problem, which allows a 
decomposition to multiple CNs of lower dimension. We show that both primality 
and dimension-minimality are undecidable. Moreover, they remain undecidable 
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even when we discard the degenerate dimension 0 case, which corresponds to 
finite memory, i.e., regular languages. On the other hand, this degenerate case 
is one where we can show decidability for DCNs. 


This work also highlights a technical shortcoming of current understanding 


of high-dimensional CNs: pumping arguments in the presence of k dimensions 
and nondeterminism are very involved, and are (to our best efforts) insufficient 
to prove Conjecture |1| To this end, we present novel pumping arguments in the 
proof of Theorem |I]and to some extent in the proof of Theorem [5] which make 
progress towards pumping in the presence of k dimensions and nondeterminism. 
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Abstract. We consider the parameterized verification of networks of 
agents which communicate through unreliable broadcasts. In this model, 
agents have local registers whose values are unordered and initially dis- 
tinct and may therefore be thought of as identifiers. When an agent 
broadcasts a message, it appends to the message the value stored in one 
of its registers. Upon reception, an agent can store the received value 
or test it for equality against one of its own registers. We consider the 
coverability problem, where one asks whether a given state of the system 
may be reached by at least one agent. We establish that this problem is 
decidable, although non-primitive recursive. We contrast this with the 
undecidability of the closely related target problem where all agents must 
synchronize on a given state. On the other hand, we show that the cov- 
erability problem is NP-complete when each agent only has one register. 


Keywords: Parameterized verification - Well quasi-orders - Distributed 
systems 


1 Introduction 


We consider Broadcast Networks of Register Automata (BNRA), a model for 
networks of agents communicating by broadcasts. These systems are composed 
of an arbitrary number of agents whose behavior is specified with a finite au- 
tomaton. This automaton is equipped with a finite set of private registers that 
contain values from an infinite unordered set. Initially, registers all contain dis- 
tinct values, so these values can be used as identifiers. A broadcast message is 
composed of a symbol from a finite alphabet along with the value of one of the 
sender’s registers. When an agent broadcasts a message, any subset of agents 
may receive it; this models unreliable systems with unexpected crashes and dis- 
connections. Upon reception, an agent may store the received value or test it for 
equality with one of its register values. For example, an agent can check that 
several received messages have the same value. 


* Partly supported by ANR. project PaVeDyS (ANR-23-CE48-0005). 
© The Author(s) 2024 


N. Kobayashi and J. Worrell (Eds.): FoSSaCS 2024, LNCS 14575, pp. 250-270, 2024. 
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This model was introduced in [10], as a natural extension of Reconfigurable 
Broadcast Networks [12]. In [10], the authors established that coverability is 
undecidable if the agents are allowed to send two values per message. They 
moreover claimed that, with one value per message, coverability was decidable 
and PSPACE-complete; however, the proof turned out to be incorrect [22]. As 
we will see, the complexity of that problem is in fact much higher. 

In this paper we establish the decidability of the coverability problem and 
its completeness for the hyper-Ackermannian complexity class Foo, showing 
that the problem has nonprimitive recursive complexity. The lower bound comes 
from lossy channel systems, which consist (in their simplest version) of a finite 
automaton that uses an unreliable FIFO memory from which any letter may 
be erased at any time [3,8,26]. We further establish that our model lies at the 
frontier of decidability by showing undecidability of the target problem (where 
all agents must synchronize in a given state). We contrast these results with the 
NP-completeness of the coverability problem if each agent has only one register. 


Related work Broadcast protocols are a widely studied class of systems in which 
processes are represented by nodes of a graph and can send messages to their 
neighbors in the graph. There are many versions depending on how one models 
processes, the communication graph, the shape of messages... A model with a 
fully connected communication graph and messages ranging over a finite alpha- 
bet was presented in [13]. When working with parameterized questions over this 
model (i.e., working with systems of arbitrary size), many basic problems are 
undecidable [14]; similar negative results were found for Ad Hoc Networks where 
the communication graph is fixed but arbitrary [12]. This lead the community 
to consider Reconfigurable Broadcast Networks (RBN) where a broadcast can 
be received by an arbitrary subset of agents [12]. 

Parameterized verification problems over RBN have been the subject of ex- 
tensive study in recent years, concerning for instance reachability questions [5, 
11], liveness [9] or alternative communication assumptions [4]; however, RBN 
have weak expressivity, in particular because agents are anonymous. In [10], 
RBN were extended to BNRA, the model studied in this article, by the addition 
of registers allowing processes to exchange identifiers. 

Other approaches exist to define parameterized models with registers [6], 
such as dynamic register automata in which processes are allowed to spawn 
other processes with new identifiers and communicate integers values [1]. While 
basic problems on these models are in general undecidable, some restrictions on 
communications allow to obtain decidability [2,20]. 

Parameterized verification problems often relate to the theory of well quasi- 
orders and the associated high complexities obtained from bounds on the length 
of sequences with no increasing pair (see for example [25]). In particular, our 
model is linked to data nets, a classical model connected to well-quasi-orders. 
Data nets are Petri nets in which tokens are labeled with natural numbers and 
can exchange and compare their labels using inequality tests [18]; in this model, 
the coverability problem is F «+ -complete [15]. When one restricts data nets to 
only equality tests, the coverability problem becomes F,,.-complete [21]. Data 
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nets with equality tests do not subsume BNRA. Indeed, in data nets, each process 
can only carry one integer at a time, and problems on models of data nets where 
tokens carry tuples of integers are typically undecidable [17]. 


Overview We start with the model definition and some preliminary results in 
Section 2. As our decidability proof is quite technical, we start by proving de- 
cidability of the coverability problem in a subcase called signature protocols in 
Section 3. We then rely on the intuitions built in that subcase to generalize the 
proof to the general case in Section 4. We also show the undecidability of the 
closely-related target problem. Finally, we prove the NP-completeness of the 
coverability problem for protocols with one register in Section 5. Due to space 
constraints, a lot of proofs, as well as some technical definitions, are only sketched 
in this version. Detailed proofs can be found in the full version, available here. 


In this document, each notion is linked to its definition using the knowledge 
package. On electronic devices, clicking on words or symbols allows to access 
their definitions. 


2 Preliminaries 


2.1 Definitions of the Model 


A Broadcast Network of Register Automata (BNRA) [10] is a model describing 
broadcast networks of agents with local registers. A finite transition system 
describes the behavior of an agent; an agent can broadcast and receive messages 
with integer values, store them in local registers and perform (dis)equality tests. 
There are arbitrarily many agents. When an agent broadcasts a message, every 
other agent may receive it, but does not have to do so. 


Definition 1. A protocol with r registers is a tuple P = (Q,M,A,qo) with Q 
a finite set of states, qo E Q an initial state, M a finite set of message types 
and A CQ x Op x Q a finite set of transitions, with operations Op = 


{br(m, i), rec(m, i, *), rec(m, i, |), ree(m, i, =), rec(m,i,4)| me M,1<i<r}. 


Label br stands for broadcasts and rec for receptions. In a reception rec(m, i, a), 
a is its action. The set of actions is Actions := {=,4,|,*}, where ‘=’ is an 
equality test, ‘A’ is a disequality test, ‘|’ is a store action and ‘*’ is a dummy 


action with no effect. The size of P is |P| :=|Q|+|M|+ |A|+r. 


We now define the semantics of those systems. Essentially, we have a finite 
set of agents with r registers each; all registers initially contain distinct values. A 
step consists of an agent broadcasting a message that other agents may receive. 


Definition 2 (Semantics). Let (Q,M,A,qo) be a protocol with r registers, 
and A a finite non-empty set of agents. A configuration over A is a function 
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br(m1, 1) 


br(ma, 1) 


e (ma, 2,4) 
rec(ms, 2, 
oe =) ith 


br(ma, 1) 


rec(mə2, 1, |) 


e q2 
(@ a =) Na br(ms3, 2) 


Fig. 1: Example of a protocol. 


y: A > QxN"” mapping each agent to its state and its register values. We write 
st(y) for the state component of y and data(y) for its register component. 
An initial configuration y is one where for all a € A, st(y)(a) = qo and 
data(y)(a,i) 4 data(y)(a’, 7’) for all (a,i) 4 (a’,7’). 
Given a finite non-empty set of agents A and two configurations y, y’ over A, 
a step y > V is defined when there exist m E€ M, ao E A andi € [1,r] such that 
(st(7) (ao), br(m, i), st(y')(ao)) € A, data(y)(ao) = data(7’)(ao) and, for alla # 
ao, either y'(a) = y(a) or there exists (st(y)(a), rec(m, j, a), st(y')(a)) € A s.t. 
data(7’)(a, 7’) = data(y)(a, j’) for j! A j and: 
— ifa = ‘x’ then data(7’)(a, j) = data(y)(a, j), 
— ifa=‘|’ then data(y’)(a, j) = data(y) (ao, i), 
— ifa = ‘= then data(y')(a, j) = data(y)(a, j) = data(y)(ao, i), 
— ifa=‘#’ then data(y’)(a, j) = data(y)(a, j) 4 data(y)(ao, i). 


A run over A is a sequence of steps p : yo 4 yı > <- — Yk with Yo,- , Yk 


configurations over A. We write yo > Yg when there exists such a run. A run is 
initial when yo is an initial configuration. 


Remark 3. In our model, agents may only send one value per message. Indeed, 
coverability is undecidable if agents can broadcast several values at once [10]. 


Example 4. Figure 1 shows a protocol with 2 registers. Let A = {a1, a2}. We 
denote by (st(y)(a1), data(y)(a1), st(y)(a2), data(y)(a2)) a configuration y over 
A. The following sequence is an initial run: 


(go, (1, 2), go, (3, 4)) — (a1, (1, 2), q2, (1, 4)) — (q3, (1, 4), q3, (1, 4)) 
> (qa, (1,4), 93, (1,4)) — (ga, (1,4), qa, (1, 4)) 


The broadcast messages are, in this order: (m2, 1) by a1, (m3, 4) by aa, (m4, 1) 
by az and (m4, 1) by az. In this run, each broadcast message is received by the 
other agent; in general, however, this does not have to be true. 


Remark 5. From a run p : yo fats y, we can build a larger run p’ in which, for 
each agent a of p, there are arbitrarily many extra agents in p’ that end in the 
same state as a, all with distinct register values. To obtain this, p’ make many 
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copies of p run in parallel on disjoint sets of agents. Because all these copies of 
p do not interact with one another and because all agents start with distinct 
values in initial configurations, the different copies of p have no register values 
in common. This property is called copycat principle: if state q is coverable, then 
for all n there exists an augmented run which puts n agents on q. 


Definition 6. The coverability problem COVER asks, given a protocol P and 

a state qs, whether there is a finite non-empty set of agents A, an initial run 

Yo > yp over A that covers qf, i.e., there isa € A such that st(yp)(a) = qz. 
The target problem TARGET asks, given a protocol P and a state qs, whether 


there is there is a finite non-empty set of agents A and an initial run yọ > VF 
over A such that, for every a € A, st(yf)(a) = qf, i.e., all agents end on qf. 


Example 7. Let P the protocol of Figure 1. As proven in Example 4, (P, qa) is a 
positive instance of COVER and TARGET. However, let P’ the protocol obtained 
from P by removing the loop on q4; (P’,q1) becomes a negative instance of 
TARGET. Indeed, there must be an agent staying on q3 to broadcast m4. Also, 
(P, qs) is a negative instance of COVER: we would need to be able to have one 
agent on q2 and one agent on qo with the same value in their first registers. 
However, an agent in go has performed no transition so it cannot share register 
values with other agents. 


Remark 8. In [10], the authors consider the query problem where one looks for 
a run reaching a configuration satisfying some queries. In fact, this problem 
exponentially reduces to COVER hence our complexity result of Foe also holds for 
the query problem. In the case with one register, one can even find a polynomial- 
time reduction hence our NP result also holds with queries. 


We finally introduce signature BNRA, an interesting restriction of our model 
where register 1 is broadcast-only and all other registers are reception-only. Said 
otherwise, the first register acts as a permanent identifier with which agents sign 
their messages. An example of such a protocol is displayed in Fig. 2. Under this 
restriction, a message is composed of a message type along with the identifier 
of the sender. This restriction is relevant for pedagogical purposes: we will see 
that it falls into the same complexity class as the general case but makes the 
decidability procedure simpler. 


Definition 9 (Signature protocols). A signature protocol with r registers is 
a protocol P = (Q,M,A,qo) where register 1 appears only in broadcasts in A 
and registers i > 2 appear only in receptions in A. 


2.2 Classical Definitions 


Fast-growing hierarchy For a an ordinal in Cantor normal form, we denote by Fy 
the class of functions corresponding to level a in the Fast-Growing Hierarchy. 
We denote by Fa the associated complexity class and use the notion of Fa- 
completeness. All these notions are defined in [23]. We will specifically work with 
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complexity class F,,.. For readers unfamiliar with these notions, F,.-complete 
problems are decidable but with very high complexity (non-primitive recursive, 
and even much higher than the Ackermann class F.,). 

We highlight that our main result is the decidability of the problem. We show 
that the problem lies in F,,. because it does not complicate our decidability proof 
significantly; also, it fits nicely into the landscape of high-complexity problems 
arising from well quasi-orders. 


Well-quasi orders For our decidability result, we rely on the theory of well 
quasi-orders in the context of subword ordering. Let X be a finite alphabet, 
w1, W2 E X*, wı is a subword of w2, denoted wı < w2, when w: can be obtained 
from wə by erasing some letters. A sequence of words wọ, w1, ... is good if there 
exist i < j such that w; < wj, and bad otherwise. Higman’s lemma [16] states 
that every bad sequence of words over a finite alphabet is finite, but there is 
no uniform bound. In order to bound the length of all bad sequences, one must 
bound the growth of the sequence of words. We will use the following result, 
known as the Length function theorem [24]: 


Theorem 10 (Length function theorem [24]). Let X a finite alphabet and 
g : N > N a primitive recursive function. There exists a function f € F,,\5|-1 
such that, for alln € N, every bad sequence w1, w2,... such that |wi] < g® (n) 
for alli has at most f(n) terms (where g®) denotes g applied i times). 


2.3 A Complexity Lower Bound for COVER Using LCS 


Lossy channel systems (LCS) are systems where finite-state processes communi- 
cate by sending messages from a finite alphabet through lossy FIFO channels. 
Unlike in the non-lossy case [7], reachability of a state is decidable for lossy chan- 
nel systems [3], but has non-primitive recursive complexity [26] and is in fact 
F.,.-complete [8]. By simulating LCS using BNRA, we obtain our F,,. lower 
bound for the coverability problem: 


Proposition 11. COVER for signature BNRA is F „»-hard. 


Proof sketch. Given an LCS £, we build a signature protocol P with two regis- 
ters. Each agent starts by receiving a foreign identifier and storing it in its second 
register; using equality tests, it then only accepts messages with this identifier. 
Each agent has at most one predecessor, so the communication graph is a forest 
where messages propagate from roots to leaves. Each branch simulates an execu- 
tion of £. Each agent of the branch simulates a step of the execution: it receives 
from its predecessor a configuration of £, chooses the next configuration of £ 
and broadcasts it, sending first the location of £ and then, letter by letter, the 
content of the channel. It could be that some messages are not received, hence 
the lossiness. 
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3  Coverability Decidability for Signature Protocols 


This section and the next one are dedicated to the proof of our main result: 
Theorem 12. COVER for BNRA is decidable and F .,~-complete. 


For the sake of clarity, in this section, we will first focus on the case of 
signature BNRA. As a preliminary, we start by defining a notion of local run 
meant to represent the projection of a run onto a given agent. 


3.1 Local runs 


A local configuration is a pair (q,v) € Q x N”. An internal step from (q,v) to 


(q',v') with transition 6 € A, denoted (q, v) D, (q', v"), is defined when v = v’ 


and 6 = (q,br(m,i),q') is a broadcast. A reception step from (q,v) to (q, v") 


with transition 6 € A and value v € N, denoted (q, v) Siw, (q', v"), is defined 
when ô is of the form (q, rec(m, j, a), q’) with v(j’) = v'(j') for all 7’ # j and: 
— if a = ‘*’ then v(j) = v' (j), — if a = ‘=’ then v(j) = v' (j) =v, 
— ifa =‘ }’ then v' (j) =v, — if a = ‘# then v(j) = v' (j) Av. 
Such a reception step corresponds to receiving message (m, v); in a local run, 
one does not specify the origin of a received message. A local step (q, v) > (q', v) 
is either a reception step or an internal step. A local run u is a sequence of local 
steps denoted (qo, vo) Š (q, v). Its length |u| is its number of steps. 
A value v € N appearing in u is initial if it appears in vọ and non-initial 
otherwise. For v € N, the v-input In, (u) (resp. v-output Out, (u)) is the sequence 
mo- mMe E M* of message types received (resp. broadcast) with value v in u. 


3.2 Unfolding Trees 


We first prove decidability of COVER for signature BNRA. Note that, in signature 
protocols, the initial values of reception-only registers are not relevant as they 
can never be shared with other agents. We deduce from this idea the following 
informal observation: 


Observation 13 In signature BNRA, when some agent receives a message, it 
can compare the value of the message only with the ones of previously received 
messages, i.e., check whether the sender is the same. 


If we want to turn a local run u of an agent a into an actual run, we must 
match a’s receptions with broadcasts. Because of Observation 13, what matters 
is not the actual values of the receptions in u but which ones are equal to which. 
Therefore, for a value v received in u, if mı ... Mp E M* are the message types 
received in u with value v in this order, it means that to execute u, a need 
another agent a’ to broadcast messages types mı to mz, all with the same value. 
We describe what an agent needs from other agents as a set of specifications 
which are words of M*. 
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rec(rdy, e) rec(go, 2, Ko) rec(hlt, 3, Ha) 
q2 q3 


br(hlt, 1) 
br(rdy, 1) br(rdy, 1) 


Fig. 2: Example of a signature protocol. 


To represent runs, we consider unfolding trees that abstract runs by repre- 
senting such specifications, dependencies between them and how they are carried 
out. In this tree, each node is assigned a local run and the specification that it 
carries out. Because of copycat arguments, we will in fact be able to duplicate 
agents so that each agent only accomplishes one task, hence the tree structure. 


Definition 14. An unfolding tree T over P is a finite tree where nodes u have 
three labels: 


— a local run of P, written lr(u); 
— a value in N, written val(u); 
— a specification spec(js) E€ M*. 


Moreover, all nodes u in T must satisfy the three following conditions: 


(i) Initial values of lr(u) are never received in lr({1), 
(ii) spec(u) < Outyay,,)(Ir()), (recall that < denotes the subword relation) 
(iii) For each value v received in lr(u), p has a child p’ s.t. In, (Ir(u)) < spec(’). 


Lastly, given T an unfolding tree, we define its size by |r| := X` e7 |u| where 
|| := |lr(z2)| + |spec(y)|. Note that the size of T takes into account the size of 
its nodes, so that a tree T can be stored in space polynomial in |r| (renaming the 
values appearing in T if needed). 


We explain this definition. Condition (i) enforces that the local run cannot 
cheat by receiving its initial values. Condition (ii) expresses that lr(j:) broadcasts 
(at least) the messages of spec(j). We can use the subword relation < (instead 
of equality) because messages do not have to be received. Condition (iii) expresses 
that, for each value v received in the local run Ir(j), u has a child who is able 
to broadcast the sequence of messages that lr(u) receives with value v. 


Example 15. Figure 2 provides an example of a signature protocol. Let A = 
{a1,a2,a3}. We denote a configuration y by (st(y)(a1), (data(y)(a1)), 

st(y) (a2), (data(y)(a2)), st(y)(a3), (data(y)(a3))). Irrelevant register values are 
denoted by _. Let p be the run over A of initial configuration 

(qo, (L, -; -), do; (2, -; -), go, (3, -, -)) where the following occurs: 
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ext(do1, 2) ext(d12, 3) ext(do3, 2) ext(ð34, 3) 


go > qı > @Q č ~ Q3 —> Qa 
reg 1 1 1 1 1 1 Node mı (aı in p) 
reg 2 - 2 2 2 2 spec = € 
reg 3 = = 3 3 3 v=1 
int(doo )ext(do5, E a int(doo )ext(ðos, 5)int(d57) 
qo > 9 > 45 q6 go —> qo > % > WZ 
Node p2 (a2) 2 2 2 2 3 3 3 3 Node u3 (a3) 
spec = rdy- go F iE = E - spec = rdy- hlt 
v=2 Š ia = = = = = 5 v=3 
int(do0) ext(do5,6) int(d55) 
qo > 4 go > % > © 
Node p4 (a3) 4 4 5 5 5 Node ps (a2) 
spec = rdy = = = = = spec = rdy 
v=4 = = E 5 = v=5 
int(do0) 
qo >> qo 
6 6 Node ue (a3) 
= 7 spec = rdy 
= a v=6 


Fig. 3: Example of an unfolding tree derived from p. Grids correspond to local 
runs, a column of a grid is a local configuration. Transition 6,; is the transition 
between state q; and state qj, for example 601 = (qo, rec(rdy, 2,1), qi). If ô is a 
reception of m € M, ext(d,v) corresponds to receiving message (m, v); if ô is a 
broadcast of m € M, int(d) corresponds to broadcasting (m,id) where id is the 
value in the first register of the agent. Initial values of reception-only registers 
are irrevelant and written as ‘_’. Colors correspond to message types. 


— az broadcasts rdy, a; receives: (q1, (1,2, -), qo, (2, -,-), qo, (3, -, -)) 

a3 broadcasts rdy, a; and a2 receive: (q2, (1, 2,3), qs, (2, -, -), qo, ( 
— az broadcasts rdy, a3 receives: (q2, (1, 2,3), qs, (2, -, -), gs, (3, -, -)) 
— az broadcasts go, a, receives: (q3, (1, 2,3), qe, (2, -, -), q5, (3, = -)), 
a3 broadcasts hlt, a, receives: (qa, (1, 2,3), ge, (2, -, -), q7, (3, - -)). 


i 


3, = -))> 


Fl 


Figure 3 provides an unfolding tree derived from p by applying a procedure 
introduced later. Because agents az and a3 broadcast to several other agents, 
they each correspond to several nodes of the tree. 

We explain why this tree is an unfolding tree. Condition (i) is trivially sat- 
isfied. Condition (ii) holds at every node because the local run of each node 
exactly broadcasts the specification of the node. Condition (iii) is satisfied at 
fir: Ina(lr(u1)) = rdy- go = spec(u2) and Ing(lr(u1)) = rdy - hlt = spec(u3). It is 
also satisfied at u2, u3 and u5 because their local runs only receive rdy and they 
each have a child with specification rdy. It is trivially satisfied at 4 and pe as 
their local runs have no reception. 
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Lemma 16. Given a signature protocol P with a state qr, qf is coverable in P 
if and only if there exists an unfolding tree whose root is labelled by a local run 
covering qt. We call such an unfolding tree a coverability witness. 


Proof. Given a run p, agent a satisfies a specification w E M* in p if the sequence 
of message types broadcast by a admits w as subword. 

Let 7 be a coverability witness. We prove the following property by strong 
induction on the depth of u: for every p in 7, there exists a run p with an agent 
a whose local run in p is lr(p) and who satisfies specification spec(j). This 
is trivially true for leaves of 7 because their local runs have no reception (by 
condition (iii)) hence are actual runs by themselves. Let u a node of T, u := 
Ir(w) and v1,..., Ue the values received in u. These values are non-initial thanks 
to condition (i); applying condition (iii) gives the existence of corresponding 
children j41,...,U- in T. We apply the induction hypothesis on the subtrees 
rooted in j11,..., Me to obtain runs p1,..., pe satisfying the specifications of the 
children of u. Up to renaming agents, we can assume the set of agents of these 
runs are disjoint; up to renaming values, we can assume that v; = val(u;) for 
all 7 and that all agents start with distinct values. We build an initial run p 
whose agents is the union of the agents of the c runs along with a fresh agent 
a. In p, we make pı to pe progress in parallel and make a follow the local run 
u, matching each reception with value vj in u with a broadcast in p;. This is 
possible because, for all j, In,,(u) < spec(y;) < Outs, (p;) (by (ii). 

Conversely, we prove the following by induction on the length of p: for every 
initial run p, for every agent a in p and for every v € N, there exists an unfolding 
tree whose root has as local run the projection of p onto a and as specification 
the v-output of a in p. If p is the empty run, consider the unfolding tree with a 
single node whose local run and specification are empty. Suppose now that p has 
non-zero length, let a an agent in p, v € N and let pp the prefix run of p of length 
|p| — 1. Let 7, the unfolding tree obtained by applying the induction hypothesis 
to pp, a and v, and consider T2 obtained by simply appending the last step of a 
in p to the local run at the root of tı. If this last step is a broadcast, we obtain 
an unfolding tree; if the broadcast value is v, we append the broadcast message 
type to the specification at the root of 72 and we are done. Suppose that, in the 
last step of p, a performs a reception (q,rec(m,i,a),q’) of a message (m,v’). 
We might need to adapt Tə to respect condition (iii) at the root. Let a’ the agent 
broadcasting in the last step of p. Let 73 the unfolding tree obtained by applying 
the induction to pp, a’ and v’. Let 74 the unfolding tree obtained by appending 
the last broadcast to the local run at the root of 73; and the corresponding 
message type to the specification at the root of T3. Attaching 74 below the root 
of Tə gives an unfolding tree satisfying the desired properties. 


The unfolding tree 7 of Figure 3 is built from p of Example 15 using the 
previous procedure. Observe that the unfolding tree 7 is a coverability witness 
for q4. However, one can find a smaller coverability witness. Indeed, in the right 
branch of T, u5 and ue have the same specification, therefore u5 can be deleted 
and replaced with ue. More generally, we would have also been able to shorten 
the tree if we had spec(ji5) < spec(jig). 
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Remark 17. With the previous notion of coverability witness, the root has to 
cover qf but may have an empty specification. However, we will later need the 
length of the specification of a node to be equal to the number of tasks that 
it must carry out. For this reason, we will, in the rest of this paper, consider 
that the roots of coverability witnesses have a specification of length 1. This can 
be formally achieved by introducing a new message type my that may only be 
broadcast from qs and require that, at the root, spec = my. 


3.3 Bounding the Size of a Coverability Witness 


In all the following, we fix a positive instance (P, qf) of COVER with r+1 registers 
(i.e., r registers used for reception) and a coverability witness 7 of minimal size. 
We turn the observation above into an argument that will be useful towards 
bounding the length of branches of a coverability witness: 


Lemma 18. Ifa coverability witness T for (P, qf) of minimal size has two nodes 
u, with u a strict ancestor of p’ then spec(u) cannot be a subword of spec(,’). 


Proof. Otherwise, replacing the subtree rooted in u with the one rooted in p’ 
would contradict minimality of 7. 


We would now like to use the Length function theorem to bound the height 
of 7, using the previous lemma. To do so, we need a bound on the size of a node 
with respect to its depth. The following lemma bounds the number of steps of a 
local run between two local configurations: we argue that if the local run is long 
enough we can replace it with a shorter one that can be executed using the same 
input. This will in turn bound the length of a local run of a node with respect 
to the size of its specification, which is the first step towards our goal. 


Lemma 19. There exists a primitive recursive function w so that, for every local 
run u : (q,v) —> (q’,v'), there exists u’ : (q,v) Š (q', v") with |u'| < Y(P],r) 
and for all value v' € N, there exists v E N such that Iny (u) < In, (u). 


Proof. Let Y(n,0) = n+ 1 and (n,k +1) = 2¥(n,k)- (AP Y™®® +1) +1 
for all k. Observe that Y(n, k) is a tower of exponentials of height k, which is 
primitive-recursive although non-elementary. A register 7 > 2 is active in a local 
run u if u has some ‘ |’ action on register i. Let u a local run, k the number of 
active registers in u, n := |P| and M := y(n, k). We prove by induction on the 
number k of active registers in u that if |u| > y(n, k) then u can be shortened. 
If k = 0, any state repetition can be removed. Suppose that |u| > w(n,k+1) 
and that the set I of active registers of u is such that |I| = k +1. If there exists 
an infix run of u of length M with only k active registers, we shorten u using the 
induction hypothesis. Otherwise, every sequence of M steps in u has a ‘ |’ on 
every register of I. Because |u| > 2M (|A|?“ +1), u contains at least |A|?’” +1 
disjoint sequences of length 2M and some s € A?™ appears twice: in infix run 
uy first, then in infix run ug. We build a shorter run u’ by removing all steps 
between u1 and uz and merging u, and uz (see Fig. 4). We need suitable values 
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Fig. 4: Illustration of the proof of Lemma 19. 


for the reception steps in s in the shortened run w’. For a given register i € I, we 
would like to pick a ‘ |’ step on register į in s, use values from u before that 
step and values from uz after that step. This would guarantee that all equality 
and disequality tests still pass. However, there is an issue if a value v appears in 
several registers in u. For example, if vı = v2 = v in Figure 4, we might interleave 
receptions of v on registers 2 and 4: if we had a ext(rec(m;, 2, =), v) in uy and a 
ext(rec(mz2, 4, =), v) in u2, we could have m1 before mə in In,(u) but mı after 
mg in In,(u’), so that we do not have In,(u’) < In,(u). We solve this issue by 
introducing fresh values between values of u, and values of u2; because |s| = 2M, 
there is a ‘ |’ for each register in J in each half of s. In the shortened run u’, 
before the first ‘ |’ on register i (excluded), we use values of u1, and after the 
last ‘ |’ on register i (included), we use values of ug. For every value v appearing 
in register i between these two steps in u1, we select a fresh value vy (i.e., a value 
that does not appear anywhere in the run) and consistently replace v with vy 
(hatched blocks in Fig. 4). With this technique, receptions with values from u1 
and receptions with values from u2 cannot get interleaved in u’. Therefore, for 
every value that appeared in u, we have In,(w’) < In,(w). Also, for every fresh 
value v’ there is a value v such that Iny (u’) < In,(u). Moreover, u’ is shorter 
than u; we conclude by iterating this shortening procedure. 


Using the previous lemma, we will bound the size of a node in 7 with respect 
to its specification therefore with respect to its parent’s size. By induction, we 
will then obtain a bound depending on the depth, and apply the Length function 
theorem to bound the height of the tree. 


Lemma 20. For all nodes u, u’ in T: 


1. [Ir(u)| < YIP |r) |spec(y)|, 
2. if p is the child of p', |spec()| < Y(IP], r) |spec(n’)). 


Proof. Thanks to Remark 17, we assume that the specification at the root is of 
length 1. For the first item, by minimality of 7, Ir(w) ends with the last broadcast 
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required by spec(ju); we identify in lr(jz) the broadcast steps witnessing spec(,:) 
and shorten the local run between these steps using Lemma 19. We thus obtain 
\Ir(u)| < Y(|P|, r) |spec(u)|, proving 1. For the second item, by minimality of 7, 
|spec(u)| < maxyen |In,(Ir(u’))| < [Ir(u’)| < YAP|, r) lspec(u’)]. 


Proposition 21. There exists a function f of class F ımi-1ı s.t. |r| < f(|P|). 


Proof. Let n := |P|, let r+ 1 be the number of registers in P. Thanks to 
Lemma 18, for all y Æ pw’ in T with p ancestor of w’, spec(jz) is not a sub- 
word of spec(i’). Let H1,..., Hm the node appearing in a branch of r, from 
root to leaf. The sequence spec(j11),...,Spec(fm) is a bad sequence. For all 

€ [1, m], |spec(44;41)| < Y(n, r) |spec(u;)| by Lemma 20. By direct induction, 
|spec(u;)| is bounded by g® (n) where g : n= nw(n,n) is a primitive recursive 
function. Let h of class F, mı-ı the function obtained when applying the Length 
function theorem on g and M; we have m < h(n). 

By immediate induction, thanks to Lemma 20.2, for every node yz at depth d, 
|spec(u)| < Y(n, r)?t! which, by Lemma 20.1 and because d < h(n), bounds the 
size of every node by h(n) = (n,n) +2. By minimality of r, the number of 
children of a node is bounded by the number of values appearing in its local run 
hence by h(n), so the total number of nodes in 7 is bounded by h/(n)?(™+1 
and the size of r by f(n) := h’(n)’(+?, Because F ımj-ı is closed under 
composition with primitive-recursive functions, f is in F imi-1. 


The previous argument shows that COVER for signature protocols is decidable 
and lies in complexity class F,,.. Because the hardness from Proposition 11 holds 
for signature protocols, COVER is in fact complete for this complexity class. 

We now extend this method to the general case. 


4 Coverability Decidability in the General Case 


4.1 Generalizing Unfolding Trees 


In the general case, a new phenomenon appears: an agent may broadcast a value 
that it did not initially have but that it has received and stored. In particular, 
an agent starting with value v could broadcast v then require someone else to 
make a broadcast with value v as well. For example, in the run described in 
Example 4, 1 is initially a value of a, that a2 receives and rebroadcasts to a1. 

We now have two types of specifications. Boss specifications describe the 
task of broadcasting with one of its own initial values; this is the specification 
we had in signature protocols and, as before, it consists of a word bw € M* 
describing a sequence of message types that should be all broadcast with the 
same value. Follower specifications describe the task of broadcasting with a non- 
initial value received previously. More precisely, a follower specification is a pair 
(fw, fm) € M* x M asking to broadcast a message (fm, v) under the condition 
of previously receiving the sequence of message types fw with value v. 
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A key idea is that, if an agent that had v initially receives some message 
(m, v), then intuitively we can isolate a subset of agents that did not have v ini- 
tially but that are able to broadcast (m, v) after receiving a sequence of messages 
with that value. We can then copy them many times in the spirit of the copycat 
principle. Each copy receives the necessary sequence of messages in parallel, and 
they then provide us with an unbounded supply of messages (m,v). In short, if 
an agent broadcasts (m,v) while not having v as an initial value, then we can 
consider that we have an unlimited supply of messages (m, v). 


Example 22. Assume that A = {a1, a2, a3} and let v be initial for a}. Consider 
an execution where the broadcasts with value v are: a, broadcasts a b, then 
ag broadcasts c, then a; broadcasts a? then a3 broadcasts b. The follower spec- 
ification of ag’s task would be of the form (w,c) where w < a-b: ag must be 
able to broadcast (c,v) once a -b has been broadcast with value v. By contrast, 
a3’s follower specification would be of the form (w-w’,c) where w < a- b and 
w’ € {a,c}* is a subword of a? enriched with as many c as desired, because az 
may be cloned at will. For example, one could have w = b and w’ = c-a-c*-a-c?. 
This idea is formalized in the full version of the paper with the notion of de- 
composition. Using this notion, the previous condition becomes: w - w’ admits 
decomposition (a-b,c,a®). 


In our new unfolding trees, a node is either a boss node or a follower node, 
depending on its type of specification. A boss node with a boss specification bw 
must broadcast that sequence of message types with one of its initial values. A 
follower node u with follower specification (fw, fm) is allowed to receive sequence 
of messages fw with value val(j:) (which must be non-initial) without it being 
broadcast by its children. Other conditions are similar to the ones for signature 
protocols: if u is a node and v Æ val(js) a non-initial value received in its local 
run, u must have a boss child broadcasting this word. Moreover, for each (m, v) 
received where v is an initial value of the local run, must have a follower child 
that is able to broadcast (m,v) after receiving messages sent previously with 
value v; the formal statement is more technical because it takes into account the 
observation of Example 22. The formal definition of unfolding tree is given in 
the full version. 


Example 23. Figure 5 depicts the unfolding tree associated to a; in the run of 
Example 4. Follower node ug can have a mz reception that is not matched by its 
children because mz is in fw(u3). yı broadcasts (mz, 1) before receiving (m4, 1) 
hence the follower specification of u3 witnesses broadcast of (m4, 1). 


A coverability witness is again an unfolding tree whose root covers qf (or 
broadcasts a message my, see Remark 17), with the extra condition that the 
root is a boss node (a follower node implicitly relies on its parent’s ability to 
broadcast). 


Proposition 24. An instance of COVER (P, qf) is positive if and only if there 
exists a coverability witness for that instance. 
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int(dp2) ext(d,3,2) ext(d,4,1)  int(dy4) 
> 


qo qı >? 43 > G4 => a Boss node pı (aı in p) 
reg 1 bw =e 
reg 2 - TA a eee v=1 
ext(6,-2, 3) int(dp3) ext(ôr2, 1) int(d,3) int(dp4) 
Boss node p2 (a2) do —> G2 —> g3 do > @2 > f3 > @ Follower node 3 (a2) 
bw = m3 = ll 3 | RB | = fw = m2, fm = m4 
v=2 ee ee ee = 2 = = vel 
int (dp2) 
Boss node p4 (a1) go —> qı 
bw = m2 (= 3 | Ci 
v=3 2 = 


Fig. 5: Example of an unfolding tree. 6,; (resp. bi) denotes the reception (resp. 
broadcast) transition of message m; in the protocol described in Fig. 1. Values 
that are never broadcast are omitted and written as ‘_’. 


Proof sketch. The proof is quite similar to the one of Lemma 16, but is made 
more technical by the addition of follower nodes. When translating an unfolding 
tree to a run, if the root of the tree is a follower node p of specification (fw, fm), 
then we actually obtain a partial run, i.e., a run except that the receptions from 
fw are not matched by broadcasts in the run. We then combine this partial run 
with the run corresponding to the parent of u and with the runs of other children 
of u so that every reception is matched with a broadcast. For the translation 
from run to tree, we inductively construct the tree by extracting from the run 
the agents and values responsible for satisfying the specifications of each node 
and analyzing the messages they receive to determine their set of children (as in 
Example 22). 


Bounding the Size of the Unfolding Tree. Our aim is again to bound the 
size of a minimal coverability witness. In the following, we fix an instance (P, qf) 
with r registers and a coverability witness of minimal size. We start by providing 
new conditions under which a branch can be shortened; for boss specifications, it 
is the condition of Lemma 18 but for follower specifications, the subword relation 
goes the opposite direction because the shorter the requirement fw, the better. 


Lemma 25. Letu 4 py’ be two nodes of T such that u is an ancestor of u'. If one 
of those conditions holds, then T can be shortened (contradicting its minimality): 


— u and p’ are boss nodes with boss specifications respectively bw and bw’, and 
bw < bw’; 

— u and p' are follower nodes with follower specifications respectively (fw, fm) 
and (fw', fm’), and fw’ < fw and fm’ = fm. 


We can generalize Lemma 19 to bound the size of a node by the number of 
messages that it must broadcast times a primitive-recursive function Y(|P|, r). 
The proof is more technical than the one of Lemma 19 but the idea is essentially 
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Fig.6: Rearrangement of a tree. The root is in red, black solid arrows connect 
parents to children, blue dashed arrows highlight that long words of messages 
are sent upwards. 


the same. The formal statement is given below. One can therefore bound the 
size of a node with respect to the size of the nodes that it must broadcast to. 


Lemma 26. There exists a primitive recursive function w such that, for every 
protocol P with r registers, for all local runs uo : (qo, vo) È (q, v), u : (q,v) > 
(q'u), up: (5) > (qf, Uz), there exists a local run wu’ : (q,v) > (q, v") with 
ju'| < w(|P|,r) and for all v’ € N: 


1. ifv’ appears in uo, u, or us, Iny (w) < Iny (u), 
2. otherwise, there exists v E€ N, not initial in uo, such that Iny (u) < In, (u). 


It is however now much harder than in the signature case to bound the size of 
the coverability witness. Indeed, the broadcasts no longer go only from children 
to parents in the unfolding tree. If up is the parent of pe, then ue broadcasts 
to Up if Hc is a boss node, but up broadcasts to pe if fe is a follower node, 
in which case ue only broadcasts one message to up. Therefore, we cannot in 
general bound |up| with respect to |ue| nor |ue| with respect to |p|, making us 
unable to apply the Length function theorem immediately. 

This leads us to arrange the unfolding tree so that long broadcast sequences 
are sent upwards, using the notion of altitude depicted in Figure 6, formally 
defined as follows. The altitude of the root is 0, the altitude of a boss node is the 
altitude of its parent minus one, and the altitude of a follower node is the altitude 
of its parent plus one. We denote the altitude of u by alt(jz). This way the nodes 
of maximal altitude are the ones that do not need to send long sequences of 
messages. We will bound the size of nodes with respect to their altitude, from 
the highest to the lowest, and then use the Length function theorem to bound 
the maximal and minimal altitudes. We present here a sketch of the proof. 

Let altmax > 0 (resp. altmin < 0) denote the maximum (resp. minimum) 
altitude in 7. We first bound the size of a node with respect to the difference 
between its altitude and altmax. 


266 L. Guillou, C. Mascle, N. Waldburger 


Lemma 27. There is a primitive recursive function fo such that, for every node 
u of 7, |u] < fol|P| + altmax — alt(u)). 


Proof sketch. We proceed by induction on the altitude, from highest to lowest. A 
node of maximal altitude has at most one message to broadcast (a follower node 
must broadcast one message to its parent), so its size is bounded by 7(|P|,7r) 
by Lemma 26 (applying the Lemma to its local run minus its final step, i.e., the 
step making the broadcast to its parent). Let u be a node of r whose neighbors 
of higher altitude have size bounded by K. We claim that |u| < (Y(P|, r) + 
2) (|M|r K + K), with y the primitive-recursive function defined in Lemma 26. 
The idea is similar to the one for Lemma 20. The neighbors of higher altitude 
are the nodes which require sequences of messages from u. Their size bounds the 
number of messages that u needs to send; we then apply Lemma 26 to bound 
the size of the local run of u. We finally obtain fp by iteratively applying the 
inequality above. 


We now bound altmax and altmin: 


Lemma 28. altmax and |altmin| are bounded by a function of class F ımı. 


Proof sketch. We first bound altmax. Consider a branch of 7 that has a node 
at altitude altmax. We follow this branch from the root to a node of altitude 
altmax: for every j € [1,altmax], let uj be the first node of the branch that 
has altitude j. All such nodes are necessarily follower nodes as they are above 
their parent. Sequence Haltmax;, -- - , H42, H1 is so that the ith term is at altitude 
altmax — i hence its size is bounded by fo(|P| + i) (Lemma 27). With the 
observation of Lemma 25, we retrieve from the follower specifications of this 
sequence of nodes a bad sequence and we apply the Length function theorem to 
bound altmax. This yields in turn a bound on the size of the root of 7. In order 
to bound altmin, we proceed similarly, using boss nodes this time. We follow 
a branch from the root to a node of altitude altmin. The sequence of nodes 
that are lower than all previous ones yields a sequence of boss specifications, 
which is a bad sequence by Lemma 25, and whose growth can be bounded using 
Lemma 27 and the bound on altmax. We apply the Length function theorem 
to bound |altmin|. 


Once we have bounded altmax and altmin, we can infer a bound on the 
size of all nodes (Lemma 27), and then on the length of branches: by minimality, 
a branch cannot have two nodes with the same specification. The bound on the 
size of the tree then follows from the observation that bounding the size of nodes 
of 7 also allows to bound their number of children. 

We obtain a computable bound (of the class Fw) on the size of a minimal 
coverability witness if it exists. Our decidability procedure computes that bound, 
enumerates all trees of size below the bound and checks for each of them whether 
it is coverability witness. This yields the main result of this paper: 


Theorem 12. COVER for BNRA is decidable and F „» -complete. 
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4.2 Undecidability of the target problem 


A natural next problem, after COVER, is the target problem (TARGET). Our 
COVER procedure heavily relies on the ability to add agents at no cost. For 
TARGET we need to guarantee that those agents can then reach the target state, 
which makes the problem harder. In fact, TARGET is undecidable, which indicates 
that our model lies at the frontier of decidability. 


Proposition 29. TARGET is undecidable for BNRA, even with two registers. 


Proof sketch. We simulate a Minsky machine with two counters. As in Propo- 
sition 11, each agent starts by storing some other agent’s identifier, called its 
“predecessor”. It then only accepts messages from its predecessor. As there are 
finitely many agents, there is a cycle in the predecessor graph. 

In a cycle, we use the fact that all agents must reach state qf to simulate faith- 
fully a run of the machine: agents alternate between receptions and broadcasts 
so that, in the end, they have received and sent the same number of messages, 
implying that no message has been lost along the cycle. We then simulate the 
machine by having an agent (the leader) choose transitions and the other ones 
simulate the counter values by memorizing a counter (1 or 2) and a binary value 
(0 or 1). For instance, an increment of counter 1 takes the form of a message 
propagated in the cycle from the leader until it finds an agent simulating counter 
1 and having bit 0. This agent switches to 1 and sends an acknowledgment that 
propagates back to the leader. 


5 Cover in 1-BNRA 


In this section, we establish the NP-completeness of the restriction of COVER to 
BNRA with one register per agent, called 1-BNRA. Here we simply sketch the 
key observations that allow us to abstract runs into short witnesses, leading to 
an NP algorithm for the problem. 

In 1-BNRA, thanks to the copycat principle, any message can be broadcast 
with a fresh value, therefore one can always circumvent ‘Æ’ tests. In the end, 
our main challenge for 1-BNRA is ‘=’ tests upon reception. For this reason, we 
look at clusters of agents that share the value in their registers. 

Consider a run in which some agent a reaches some state q,; we can duplicate 
a many times to have an unlimited supply of agents in state q. Now assume 
that, at some point in the run, agent a stored a received value. Consider the 
last storing action performed by a: a was in a state qı and performed transition 
(qi, rec(m, 1, |), q2) upon reception of a message (m, v). Because we can assume 
that we have an unlimited supply of agents in qı thanks to the copycat principle, 
we can make as many agents as we want take transition (q1, rec(m, 1, |), q2) at 
the same time as a by receiving the same message (m, v). These new agents end 
up in q2 with value v, and then follow a along every transition until they all 
reach q, still with value v. In summary, because a has stored a value in the run, 
we can have an unlimited supply of agents in state q with the same value as a. 
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Following those observations, we define an abstract semantics with abstract 
configurations of the form (S,b, K) with S,k C Q and b € QU {LL}. The first 
component S is a set of states that we know we can cover (hence we can assume 
that there are arbitrarily many agents in all these states). We start with S = {qo} 
and try to increase it. To do so, we use the two other components (the gang) 
to keep track of the set of agents sharing a value v: b (the boss) is the state of 
the agent which had that value at the start, K (the clique) is the set of states 
covered by other agents with that value. As mentioned above, we may assume 
that every state of K is filled with as many agents with value v as we need. We 
will thus define abstract steps which allow to simulate steps of the agents with 
the value we are following. When they cover states outside of S, we may add 
those to S and reset b to qo and K to 9, to then start following another value. We 
can bound the length of relevant abstract runs, and thus use them as witnesses 
for our NP upper bound. 

The NP lower bound follows from a reduction from 3SAT. An agent a sends a 
sequence of messages representing a valuation, with its identifier, to other agents 
who play the role of an external memory by broadcasting back the valuation. 
This then allows a to check the satisfaction of a 3SAT formula. 


Theorem 30. The coverability problem for 1-BNRA is NP-complete. 


6 Conclusion 


We established the decidability (and F.,.-completeness) of the coverability prob- 
lem for BNRA, as well as the NP-completeness of the problem for 1-BNRA. 
Concerning future work, one may want to push decidability further, for instance 
by enriching our protocols with inequality tests, as done in classical models such 
as data nets [15]. Reductions of other distributed models to this one are also 
being studied. 
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